On September 10, MyRepublic Singapore announced that it discovered an unauthorized data access incident on August 29, 2021, and has moved to support its customers in mitigating any possible risk. The unauthorized data access took place on a third-party data storage platform used to store the personal data of MyRepublic’s mobile customers. The unauthorized access to the data storage facility has since been secured, and the incident has been contained.
Experts weighed in on the incident and what lessons can be learned.
Howard Ting, CEO at Cyberhaven:
"This breach is the latest in a string of examples that highlights how most services today involve a supply chain of vendors that can have access to our data. This is an important issue for individuals as well as enterprises. Too often, organizations have no visibility behind the curtain into how their service providers handle and protect their data. This demonstrates the need for more transparency and auditability so that customers can know the risk to their data."
Setu Kulkarni, Vice President, Strategy at NTT Application Security:
"Basic Confidentiality, Integrity and Availability (CIA) principles continue to be ignored resulting in “data incidents” like this. While this incident is reported as unauthorized data access, which is serious enough, it likely points to an even more serious systemic issue with the way security for this critical data at rest is being implemented."
Simon Aldama, CISSP, Principal Security Advisor at Netenrich:
"Although there is an ongoing investigation into the incident, electronic breaches such as this highlight an ominous trend. 51% of business have endured data breaches caused by threat actors subverting a vendor, partner, or suppliers' infrastructure, the most notable being Accellion, Audi and Volkswagen. The largest reason for this trend is organizations focus more on post breach incident, continuity, and crisis management rather than pre-breach risk workstreams like asset, vulnerability, and threat management. Managing vendor and partner risk requires attestations proving they've employed risk management practices and proper implementation of technology to protect personally identifiable information such as National Registration Identity Card information. Organizations utilizing third parties for sensitive data storage, processing and transfer require accountability through contractual agreements between B2B relationships. In the end, financial losses, litigation, and compliance penalties are far greater in cost than the strategic investments required to prevent the incident occurring in the first place."
Hank Schless, Senior Manager, Security Solutions at Lookout:
"This incident highlights the importance of vetting third-parties who will have access to your customers’ data. An extensive security review should no longer be optional when you’re looking to onboard a solution that could have access to this sensitive data. In addition, you should constantly review the security posture of that service to ensure they’re staying up to date. You should also look for indicators of how seriously the third party takes security.
There are certain tell-tale signs, such as having modern data loss prevention (DLP) capabilities for both cloud-based and on-premise resources, that can help you gauge confidence in the vendor’s ability to protect your data. In the case of a service that stores highly sensitive personal identifiable information (PII) you also want to understand what type of DLP tools they have in place. Any organization that has on-premise or in the cloud should have the ability to implement policies that encrypt sensitive data if it’s accessed or downloaded. Being able to implement DLP and dynamic data access policies across on-prem resources with zero trust network access (ZTNA) and cloud-based resources with cloud access security broker (CASB) should be required of any organization that allows access to sensitive data of its customers or employees.
As part of your security reviews, check to see whether CASB and ZTNA solutions are in place. Not only does this help ensure protection of your data, but it also shows that the third party takes security seriously and has a modern take on how to secure interactions between users, devices, networks, and sensitive data."