A data breach is a data breach, regardless of whether it was stolen directly or via a third party …

Earlier this month, the vendor of one of Singapore’s private healthcare groups Fullerton Health suffered a breach where personal details of customers were stolen by hackers and put up for sale on hacking forums.

The hackers have since claimed that they had stolen the data of 400,000 people, including their insurance policy details. A sample of the data uploaded by the unidentified hackers included customer names and identity card numbers, as well as information about bank accounts, employers and medical history. It also had the personal details of the customers’ children.

The data was being sold for US$600 in Bitcoin, but the posts offering the sale have been taken down since 22 Oct. Fullerton Health has confirmed that its own networks were not compromised, and that the vendor involved in the breach, Agape Connecting People, is assisting the authorities with investigations.

This latest incident of a third-party breach is just one of many in Singapore and around the world. According to Kamal Brar, Vice President and General Manager (Asia Pacific and Japan), Rubrik: “It is important to remember that any organization that falls victim to a cyberattack is just that, a victim. Some of the world’s largest businesses and government agencies have also been compromised, and they would all have had the latest anti-malware and perimeter security solutions.”   

Eric Nagel, General Manager, APAC, Cybereason, commented: “The Fullerton Health data breach is a reminder about the critical need for businesses to have a post-breach mindset in combating cyber risks. You must assume the threat actors will get in, because they eventually will, and stop(ping) them quickly and pushing them out of networks become essential to keep your customers and partners safe.

He added: “Also, this data breach is a reminder that as consumers our personal information has been stolen many times over and sold on the DarkWeb. It appears that personal banking information, medical records and identity card numbers were stolen and only in time will consumers know if their personal information was used in an identity theft scam or fraud was committed.”

Fight the good fight

Brar said that the fight against cyber-attackers is asymmetric: “An organization needs to stop all attacks to be successful (in its cyberdefense), while a hacker needs only one malicious email to be clicked to completely compromise an organization.”

The Singapore Computer Emergency Response Team has urged businesses to maintain backup copies of their database and files on a regular basis. They have further advised businesses to monitor and review administrator-level accounts and privileges regularly for access and activities. With this in mind, organizations need to look beyond their perimeter defenses and consider how quickly they can remediate and get their business back up and running following an attack.

Joanne Wong, Vice President, International Markets, LogRhythm, advised: “Only when organizations develop a holistic cybersecurity strategy, and gain full visibility across their entire IT environment – including all their vendors – can they effectively detect and nip such threats in the bud.”

Noting that organizations have been reminded, time and time again, that we cannot afford to let our guard down, she elaborated: “In today’s increasingly connected world, organizations are inextricably linked to a network of partners that operate behind-the-scenes. With this comes unprecedented vulnerability – anyone could be a weak link. Moreover, malicious actors are already more likely to target smaller vendors, who tend to have limited resources and cybersecurity capabilities, as a means to gain access to larger, more influential targets like Fullerton Healthcare.”

Wong saw this attack as one that’s particularly opportunistic, given the ongoing COVID-19 crisis and increased reliance on the healthcare industry, and that it serves as a stark warning for others operating in such critical sectors that they cannot take their cybersecurity for granted.

Nagel said: “We look forward to hearing more from Fullerton in the days ahead as their insights could help other businesses from being victimized.”