MyRepublic customers compromised in third-party data breach

MyRepublic says almost 80,000 of its mobile subscribers in Singapore have had their personal data compromised, following a security breach on a third-party data storage platform. The affected system had contained identity verification documents needed for mobile services registration, including scanned copies of national identity cards and residential addresses of foreign residents. 

The “unauthorised data access” incident was uncovered on August 29 and the relevant authorities had been informed of the breach, said MyRepublic in a statement Friday. It pointed industry regulator Infocomm Media Development Authority (IMDA) and Personal Data Protection Commission, which oversees the country’s Personal Data Protection Act (PDPA). 

MyRepublic said personal data of its mobile customers were stored on the affected system, adding that “unauthorised access to the data storage facility” since had been plugged. The incident had been “contained”, it said.

It noted that an incident response team had been activated, which included external advisers from KPMG in Singapore, and would work with the broadband operator’s internal IT and network personnel to resolve the incident. 

MyRepublic said its own investigation determined the unauthorised data access affected 79,388 of its mobile subscribers in Singapore. Apart from details of local customers’ national identity cards, information from documents required to verify foreign workers’ residential address, such as copies of utility bills, also were affected. The names and mobile numbers of customers porting an existing mobile service also were compromised. 

MyRepublic said there were no indications other personal data, such as payment details, were affected. It added that none of its systems were compromised.

It said affected customers would be offered a complimentary credit monitoring service, provided by Credit Bureau Singapore, which would monitor customers’ credit report and send out alerts of suspicious activities. 

ZDNet asked MyRepublic for more information on the third-party data storage service, including queries on when this service was last assessed, whether it was a cloud-based platform, and how the breach was discovered. This article will be updated when responses come in. 

MyRepublic CEO Malcolm Rodrigues said in the statement: “My team and I have worked closely with the relevant authorities and expert advisors to secure and contain the incident, and we will continue to support our affected customers every step of the way to help them navigate this issue.

“While there is no evidence that any personal data has been misused, as a precautionary measure, we are contacting customers who may be affected to keep them informed and provide them with any support necessary,” Rodrigues said. “We are also reviewing all our systems and processes, both internal and external, to ensure an incident like this does not occur again.”

In a recent interview with ZDNet, MyRepublic said it was looking for new revenue in Singapore’s enterprise space, and planned to ramp up its service offerings with particular focus on cybersecurity, where it might look to make acquisitions to plug product gaps. 

RELATED COVERAGE

• Growing reliance on third-party suppliers signals increasing security risks
• Zero trust, basic cyber hygiene best defence against third-party attacks
• Third-party security breach compromises data of Singapore job-matching service
• MyRepublic targets enterprise, cybersecurity markets in Singapore
• MyRepublic not late to Singapore mobile market, but must differentiate with customer service
• MyRepublic should look beyond Singapore, will face challenges in mobile plans
• MyRepublic secures $51M investment from private equity firm