Fullerton Health vendor hacked; personal details of customers sold online

SINGAPORE – Personal details of Fullerton Health customers were stolen by hackers and hawked online, after a vendor of the private healthcare group suffered a breach earlier this month.

The data was hawked on hacking forums from Oct 11, and could be bought for US$600 (S$810) in Bitcoin. However, checks by The Straits Times showed that the hackers took down the posts on the data sale last Friday (Oct 22).

The hackers claimed they managed to steal the data of some 400,000 persons, including insurance policy details of Singaporeans.

A sample of the data uploaded by the unidentified hackers included customer names, identity card numbers as well as information about bank accounts, employers and medical history.

It also had the personal details of the customers’ children.

A sample document shared by the hackers bore the letterheads of Fullerton Health and Singapore Airlines.

The breach was of a server belonging to Agape Connecting People, a social enterprise that provides contact centre services.

Agape was engaged as a vendor to handle bookings by Fullerton Health customers.

Fullerton Health discovered the breach shortly before informing Agape on Oct 19.

They have made police reports, and the Personal Data Protection Commission has been informed. Investigations are ongoing.

Responding to queries from ST, Fullerton Health confirmed that its own networks were not compromised, and it is still trying to establish the exact number and identities of those affected.

Mr Ho Kuen Loon, group chief executive officer of Fullerton Health, said there is no disruption to its services resulting from the breach.

“We take this matter very seriously as confidentiality of our customers’ personal data is of utmost importance to us,” he added.

“We will be reaching out to affected customers whose personal data may have been affected at the earliest possible time.”

Personal data of Fullerton Health’s customers was sold on hacking forums after a call centre vendor was breached earlier this month. PHOTO: SCREENSHOT FROM “HACKING FORUM”

Fullerton Health, which specialises in designing customised medical services for corporate and insurer clients, said the breach involved only data of patients from its Singapore operations.

It has engaged cybersecurity experts to work with Agape to prevent such an incident from happening again.

On Monday (Oct 25), Agape said its system was isolated and suspended immediately once the breach was discovered, and that no credit card or password information was exposed.

“We are in the process of confirming that no other clients of Agape Connecting People were affected,” it added. “We regret this incident has caused inconvenience to our client and their customers.”

Checks by ST found that the hackers specialise in the pilfering and sale of data from the e-commerce and healthcare sectors.

They continue to hawk data from numerous organisations in many countries.

It is not known if they had any incentive to suddenly stop the sale of the Fullerton Health data.

Fullerton Health is one of the private healthcare providers involved in Singapore’s national vaccination programme.

ST understands that the stolen data is not related to the programme.