MyRepublic customers compromised in third-party data breach

September 10, 2021

MyRepublic says almost 80,000 of its mobile subscribers in Singapore have had their personal data compromised, following a security breach on a third-party data storage platform. The affected system had contained identity verification documents needed for mobile services registration, including scanned copies of national identity cards and residential addresses of foreign residents.

The “unauthorised data access” incident was uncovered on August 29 and the relevant authorities had been informed of the breach, said MyRepublic in a statement Friday. It pointed industry regulator Infocomm Media Development Authority (IMDA) and Personal Data Protection Commission, which oversees the country’s Personal Data Protection Act (PDPA).

MyRepublic said personal data of its mobile customers were stored on the affected system, adding that “unauthorised access to the data storage facility” since had been plugged. The incident had been “contained”, it said.

Constant review of third-party security critical as ransomware threat climbs

Lulled into complacency, businesses face risks of supply chain attacks even after they have done their due diligence in assessing their third-party suppliers’ security posture before establishing a partnership.

It noted that an incident response team had been activated, which included external advisers from KPMG in Singapore, and would work with the broadband operator’s internal IT and network personnel to resolve the incident.

MyRepublic said its own investigation determined the unauthorised data access affected 79,388 of its mobile subscribers in Singapore. Apart from details of local customers’ national identity cards, information from documents required to verify foreign workers’ residential address, such as copies of utility bills, also were affected. The names and mobile numbers of customers porting an existing mobile service also were compromised.

MyRepublic said there were no indications other personal data, such as payment details, were affected. It added that none of its systems were compromised.

It said affected customers would be offered a complimentary credit monitoring service, provided by Credit Bureau Singapore, which would monitor customers’ credit report and send out alerts of suspicious activities.

ZDNet asked MyRepublic for more information on the third-party data storage service, including when this service was last assessed, whether it was a cloud-based platform, and how the breach was discovered. This article will be updated when responses come in.

MyRepublic CEO Malcolm Rodrigues said in the statement: “My team and I have worked closely with the relevant authorities and expert advisors to secure and contain the incident, and we will continue to support our affected customers every step of the way to help them navigate this issue.

“While there is no evidence that any personal data has been misused, as a precautionary measure, we are contacting customers who may be affected to keep them informed and provide them with any support necessary,” Rodrigues said. “We are also reviewing all our systems and processes, both internal and external, to ensure an incident like this does not occur again.”

In a recent interview with ZDNet, MyRepublic said it was looking for new revenue in Singapore’s enterprise space, and planned to ramp up its service offerings with particular focus on cybersecurity, where it might look to make acquisitions to plug product gaps.