Hackers steal personal data of 5,400 AXA customers

The personal data of about 5,400 past and present customers of AXA Insurance here has been stolen in a cyber attack.

The French life insurance company e-mailed most of the affected customers yesterday about the data breach. The rest will be informed today.

The e-mail by its data protection officer Eric Lelyon said the attack on its health portal took place recently, without giving the date.

In particular, the customers' e-mail address, mobile number and date of birth were exposed.

The company said no other personal data - including name, NRIC number, address, credit card or bank details, health status, claims history or marital status - was leaked.

When contacted, AXA Singapore chief executive officer Jean Drouffe said the company takes customer privacy seriously and apologised for the breach.

He assured customers that its Health Portal "is now secure".

He did not address questions about the breach and when the attack took place, but said: "A thorough review of our IT systems is underway. No financial or health data was compromised."

Mr Drouffe also said the compromised data, by themselves, will not result in identity theft.

Customers, however, are advised to be vigilant against phishing, often done via e-mail, to trick victims into disclosing their credentials.

AXA has filed a police report.

It advised customers to do the same if they had inadvertently disclosed personal data as a result of phishing attempts in the last few months, as it could be connected to the AXA hacking.

Mr Gavin Chow, network and security strategist at cyber security solutions firm Fortinet, said hackers could masquerade as AXA or any commercial entity to trick victims to reveal, for instance, their e-banking username and password.

This method, known as phishing, can be carried out via email, SMS or WhatsApp when the hacker has a user's e-mail address and mobile number.

Hackers could also trick victims into installing malware in their computers or mobile phones, and then steal one-time passwords sent via SMS to make fraudulent transactions.

"If anyone is using their birth dates as passwords, change it now," said Mr Chow.

Singapore's privacy commission, the Personal Data Protection Commission, said it is investigating the breach.

A Monetary Authority of Singapore (MAS) spokesman said it has asked AXA to do a thorough review of its IT security and to fix control gaps.

"MAS takes a serious view of this incident and is investigating the matter."

Singapore's Cyber Security Agency urged companies that hold customer data to prioritise cyber security and adopt proactive measures to better protect themselves against attacks.

In April, hackers broke into the networks of the National University of Singapore and Nanyang Technological University, presumably to steal government-related data.

Just two months earlier, the personal data of 850 national servicemen and Defence Ministry staff was also stolen.

RELATED STORY