Fullerton health vendor hacked

Fullerton Health has filed a police report after its vendor’s server was hacked, revealing the personal data of some of its customers in Singapore.  Agape Connecting People Holdings, the vendor, helps patients of Fullerton Health to make appointments. Fullerton Health has confirmed that their own IT network, systems and databases have not been breached. 

Agape stated that they discovered client data was compromised due to unauthorised access by a malicious third party. Compromised information included names and contact details, bank account information and medical history; however Fullerton Health maintains that no credit card information or passwords were leaked. The incident also appears to have been contained only to Fullerton Health; none of their other clients have experienced breaches.  

The hackers claimed that they managed to steal the data of around 400,000 people, including the insurance policy details of Singaporeans. The stolen data was put up for sale on hacking forums on the 11th October for $600. However the hackers took down the posts on the data sale last on the 22nd October. 

The breach was identified and action was taken immediately to prevent further compromise. The system was isolated and suspended and no care infrastructure was compromised.  

Investigations are still underway in order to identify the exact number and identity of affected individuals. Fullerton Health has stated that those affected are patients based in Singapore, those based elsewhere have not been subject to data breaches that they are aware of.  

Digital forensic and cyber security experts are engaging with Agape to determine the cause of the incident and to remedy the problem in order to prevent a recurrence. 

Third party infrastructures should include automated threat monitoring and access control and vendors should be enforced to have the same level of security as the organisation does, if not it may leave vulnerabilities in access points. Many companies use advanced security programs but that won’t matter if the basics are not done well. Cyber security basics are cheap to maintain and become an expensive problem when overlooked.