Singapore Telecommunications Ltd (Singtel) was dealt with another blow as on Monday 10 Oct, a second subsidiary Dialog Group, an IT services company based in Australia was targeted in a cyberattack which could ‘potentially affect fewer than 20 of its clients and 1,000 current and former employees’.
In a statement released to the stock exchange, Singtel announced that the unauthorised access was detected on 10 Sept while the company “became aware that a very small sample of Dialog’s data, including some employee personal information, was published on the Dark Web”.
Singtel assured its stakeholders that upon discovering the unauthorised access in September, its ‘servers were restored and fully operational’ within two days.’
“We contracted a leading cybersecurity specialist to work with our IT team to undertake a deep forensic investigation and continuous monitoring of the Dark Web. Our ongoing investigations showed no evidence of unauthorised downloading of data,” explained Singtel.
Prior to this data breach, another of its subsidiaries in Australia, Singtel Optus Pty Limited was also a target of a cyberattack that had compromised customers’ data.
The information which may have been exposed includes customers’ names, dates of birth, phone numbers, email addresses, and, for a subset of customers, addresses, ID document numbers such as driver’s licence or passport numbers.
On 11 Oct, Office of the Australian Information Commissioner (OAIC) and the Australian Communications and Media Authority notified Singtel of their intention to commence formal investigations in connection with the Optus data breach.
“If they have not done so already, I urge all organisations to review their personal information handling practices and data breach response plans to ensure that information is held securely, and that in the event of a data breach they can rapidly notify individuals so those affected can take steps to limit the risk of harm from their personal information being accessed,” said Australian Information and Privacy Commissioner Angelene Falk on OAIC website.
“And collecting and storing personal information that is not reasonably necessary to your business breaches privacy and creates risk. Only collect what is reasonably necessary.”
The OAIC’s investigation will focus on whether the Optus companies took reasonable steps to protect the personal information they held from misuse. The investigation is being conducted under the Australian Privacy Principle 1, section 40(2) of the Privacy Act 1988.
Should they find any serious interference with Australian privacy law, the commissioner will be able to seek civil penalties through the federal court of up to $2.2 million for each breach.