AXA Insurance Reports Singapore BreachCompany Reveals Few Details; Experts Speculate on Cause
The Singapore arm of AXA Insurance Group says a web application flaw exposed the personal data of 5,400 insurance customers to hackers.
"The breach has exposed their email addresses, birth dates, and mobile numbers, which were used to transmit one-time passwords when users accessed the health portal," says Eric Lelyon, data protection officer for AXA, in an email to customers. "The one-time passwords were required in order for users to log in to the site."
Lelyon claims that the breach was not likely to, on its own, expose people to identity theft. But he warns customers to be on the lookout for phishing scams attempting to extract the rest of their personal information.
AXA has urged its customers to reach out to law enforcement to lodge a formal complaint if they inadvertently disclosed personal data as a result of a phishing attempt in the last few months that could possibly have a connection to the AXA incident.
An AXA spokesperson tells Information Security Media Group: "AXA has been subject to a cyberattack to a health portal that compromised a limited number of our customer's personal data, and necessary action has been taken to secure the portal taking cognizance of customer privacy."
"With the relatively small number of records that were breached, my guess is that it's a direct attack on the company's web application," says Tom Wills, director, Ontrack Advisory.
Dharshan Shanthamurthy, CEO at SISA Information Security, offers a similar theory. "Though nothing can be confirmed until AXA gives the exact reasons, from my past experience such cases are typically a result of web application compromise. Attackers have exploited an application running on the network."
A web application compromise is usually the result of improper application configuration, a coding mistake leading to insecure development of an application, and improper application security testing, Shanthamurthy says.
A Cyber Security Agency Singapore spokesperson tells ISMG: "CSA is aware of the data breach of AXA's systems. We understand that the matter is still under investigation. Nevertheless, this incident is a reminder that companies that collect and hold customer data are an attractive target for cybercriminals. Hence, companies need to make the appropriate risk assessment, prioritize cybersecurity and adopt proactive measures to better protect themselves against cyberattacks."
Law enforcement officials and Singapore's Personal Data Protection Commission are investigating the incident.
A Need for Penalties?
Some security experts argue that imposing strong penalties against companies with inadequate security controls could help ensure that companies take more stringent measures to reduce breach incidents.
"While data breaches are known to have a significant negative impact on the victim organization's reputation - shareholder value and bottom line - it can lead to identity fraud against the organization's customers," Wills says. "One needs to invest adequately in resources to secure all their end points, instead of waiting until they've been compromised before they invest in adequate security controls."
A chief risk officer at an Indian insurance firm, who asked not to be named, notes: "Where the strong penalties come in is to incent companies to proactively implement a baseline level of cybersecurity. It's not a perfect solution, but I believe penalties are necessary to truly up the industry's security."
Rana Gupta, vice president, APAC sales, identity and data protection at Gemalto, also argues that financial penalties in cases of inadequate measures to protect the privacy of personally identifiable information is a good way to promote accountability.
But Ken Soh, CEO at Athena Dynamics, has a different take. "Strong penalties may not be the silver bullet," he says. "Indeed, it may not be fair to the business entities in consideration of the rapid emergence of advanced threats and hacking techniques that are constantly outwitting mainstream defense systems and strategies. Ongoing and consistent education and awareness programs are naturally more important."
The use of effective cyber forensic tools can help organizations that have been breached to identify the nature of the threat and neutralize it so that no further data is compromised, some security experts say.
Rohan Vibhandik, a cybersecurity researcher at ABB, recommends the following steps:
- To avoid severe SQL injection threat, use a safe API, which eliminates the use of the interpreter entirely or provides a parameterized interface.
- To avoid security misconfiguration, check periodically for any unnecessary features enabled or installed (e.g., ports, services, pages, accounts, privileges), obsolete system patches or outdated plugins/software. A strong application architecture that provides an effective and a secure separation between components is required.
Other steps recommended by security practitioners are:
- Migrate the current web application to a QA environment and conduct a thorough VA-PT of the application, giving special attention to the authentication and authorization mechanism, unsanitized uploads and insecure direct object reference.
- If the application is hacked, test the corresponding web server for backdoor.
- Perform a code review of the application to point out the deviation from secure coding practices.
- Train the in-house development teams in basic security assessments along the lines of OWASP and SANS.