Accellion Data Breach also Affects Singapore’s Telecom Firm Singtel

Customers visit Singtel retail shop in Singapore. Singtel Ltd is one of the three major telcos in Singapore.

A third-party vendor’s security incident has impacted not only US and Australian government organizations but may also have compromised Singtel’s customer data, Singapore’s largest mobile network operator. The telecom company is investigating the impact. Some of their data files were taken. Singtel has suspended the use of the third-party software developed by Accellion for the time being.

Customer Data Possibly Compromised

Following a security incident that involved a third-party vendor, Singapore’s telecom firm Singtel discovered on February 9 that “some files were illegally accessed”. The attack apparently affected a file sharing system that Singtel was using, called File Transfer Appliance (FTA). The system was developed two decades ago by a private cloud solutions company, Accellion.

Singtel did not provide details on the data in question, not did they say how many customers were affected. “Our priority is to work directly with customers and stakeholders whose information may have been compromised to keep them supported and help them manage any risks”, Singtel said in a media statement on Thursday.

In mid-December, Accellion notified their clients about a security incident involving a zero-day vulnerability in their legacy File Transfer Appliance software. They released a patch to about 50 affected customers within 72 hours after discovering the P0 vulnerability. P0 is a term used by software companies to classify the most serious security issues.

Patch Did Not Effectively Plug Holes

Apparently, Singtel deployed Accellion’s tool as a standalone system. They used the FTA software to share information within the organization and with external stakeholders. Since the software was mostly used within the company, it’s likely that internal information, like business or strategic plans, may have been accessed. However, it became clear that some customer data had also been stolen. Core operations were not affected.

Singtel applied the first software patch on 23 December and a second and last one on 27 December. On 23 January, Accellion contacted clients to tell them about a new vulnerability what the 27 December patch did not cover. Singtel immediately stopped using the software and took the system offline. Accellion later informed Singtel that their system could have been breached and that this breach likely occurred on 20 January.

Forensic and criminal investigations are ongoing. Further, Singtel is conducting a thorough review of their processes and file sharing protocols. Due to the complexity of the incident it may take some time before the full extent of the breach is known. Singtel is working closely with cyber-security experts and relevant authorities. Singapore’s Cyber Security Agency is providing additional guidance.

Part of a Wider Global Breach

Accellion has alerted clients and stakeholders that the security incident is part of a wider concerted attack against users of their file sharing system. The 20-year-old legacy product “just wasn’t designed for these types of threats”, a spokesperson said.

Last week, the Washington state government confirmed they had suffered a large data breach involving claims for unemployment benefits. Subsequent exploits exposed data files the government shared via Accellion’s file transfer service. Although initially not linked to Accellion, the Reserve Bank of New Zealand is also known to be one of the victims. They released a statement in mid-January confirming the Bank had been hacked. A prominent Australian law firm and the Australian Securities and Investment Commission (ASIC) were also affected by the Accellion cyberattack. This last incident involved unauthorized access to a server that contained documents associated with recent Australian credit license applications.

The identity and motives of the hacker or hackers are not yet known. So far, there are no indications that any of the stolen data has been dumped. It is also not up for sale on, for example, the dark web.

IT communication specialist
Sandra has many years of experience in the IT and tech sector as a communication specialist. She's also been co-director of a company specializing in IT, editorial services and communications project management. For VPNoverview.com she follows relevant cybercrime and online privacy developments.