Fullerton Health customers' details stolen and put up for sale
Hackers claim they stole data of 400,000 people, including insurance policy details, bank accounts
Personal details of Fullerton Health customers were stolen by hackers and hawked online, after a vendor of the private healthcare group suffered a breach earlier this month.
The data was put up for sale on hacking forums from Oct 11 and could be bought for US$600 (S$810) in Bitcoin.
However, checks by The Straits Times showed that the hackers took down the posts on the data sale last Friday.
The hackers claimed they managed to steal the data of about 400,000 people, including insurance policy details of Singaporeans.
A sample of the data uploaded by the unidentified hackers included customer names and identity card numbers, as well as information on bank accounts, employers and medical history.
It also had personal details of the customers' children.
A sample document that was shared by the hackers bore the letterheads of Fullerton Health and Singapore Airlines.
The breach was of a server used by Agape Connecting People, a social enterprise that provides contact centre services. Agape was engaged as a vendor to handle bookings by Fullerton Health customers.
The medical service provider discovered the breach shortly before informing Agape about it on Oct 19. Both have made police reports, and the Personal Data Protection Commission has been informed. Investigations are ongoing.
Responding to queries from ST, Fullerton Health confirmed its own networks were not compromised, and it is still trying to establish the exact number and identities of those affected.
Mr Ho Kuen Loon, group chief executive of Fullerton Health, said there is no disruption to its services resulting from the breach.
"We take this matter very seriously as confidentiality of our customers' personal data is of utmost importance to us," he said. "We will be reaching out to affected customers whose personal data may have been affected at the earliest possible time."
It has engaged cyber-security experts to work with Agape to prevent such an incident from happening again.
Yesterday, Agape said its system was isolated and suspended immediately once the breach was discovered, and that no credit card or password information was exposed.
Checks by ST found that the hackers specialise in the pilfering and sale of data from the e-commerce and healthcare sectors. They continue to hawk data from numerous organisations in many countries.
When contacted, the hackers said they stopped the sale of the Fullerton Health data after having found a "good buyer" but did not provide further details.
Fullerton Health is one of the private healthcare providers involved in Singapore's national vaccination programme. ST understands that the stolen data is not related to the programme.
A spokesman for the Ministry of Health (MOH) said it was informed by the police about the data breach involving the vendor.
She said: "The vendor is not connected to MOH's IT systems, which are not affected by the incident. The outsourced vendor is not involved in vaccination."