It has been reported that myRepublic says almost 80,000 of its mobile subscribers in Singapore have had their personal data compromised, following a security breach on a third-party data storage platform. The affected system had contained identity verification documents needed for mobile services registration, including scanned copies of national identity cards and residential addresses of foreign residents. The "unauthorised data access" incident was uncovered on August 29 and the relevant authorities had been informed of the breach, said MyRepublic in a statement Friday. It pointed industry regulator Infocomm Media Development Authority (IMDA) and Personal Data Protection Commission, which oversees the country's Personal Data Protection Act (PDPA).
Commenting on this story is Trevor J. Morgan, product manager at comforte AG: "The revelation by MyRepublic that the PII of nearly 80,000 mobile subscribers was compromised in a data breach is important to understand for a single reason. For enterprises that collect such sensitive data from prospects and customers, the issue of whether subsequent data processing and storage occurs on internal resources or those of a third-party platform is less significant than appearances make it. If you are one of these enterprises in a situation similar to MyRepublic, you must understand that you are the primary caretaker of this precious asset. You will ultimately answer for anything that happens to that data.
You are tasked—often by data privacy regulations within the jurisdictions you do business, but also by common business ethics, with ensuring effective data security no matter where that data goes within your IT ecosystem. You should ask yourself, even though we have created an effective defensive perimeter around this data, is the data itself protected separately from the environment around it? If not, you should consider more data-centric protection methods to augment (not replace) your existing strategy. Tokenization and format-preserving encryption can certainly help by obfuscating sensitive data elements while still preserving data format, enabling your organization to continue working with that data seamlessly without de-protecting it. If your IT department hasn’t yet put data-centric security into your cybersecurity toolbox, now is the time to do so, before the unthinkable (but highly likely) event occurs and you’re in the middle of a security incident in full view of the entire market and your customer base."