Channel NewsAsia

Hackers steal 1.2b passwords: No reports of Singaporeans affected yet, says SingCERT

Singapore Government agencies are on alert after Russian hackers stole 1.2 billion login credentials worldwide.

SINGAPORE: There have been no reports of breaches in Singapore following the news that Russian hackers stole 1.2 billion passwords worldwide, a Singapore Computer Emergency Response Team (SingCERT) spokesperson told Channel NewsAsia on Wednesday (Aug 6).

SingCERT said it is in talks with the authorities in the United States to verify if people or organisations in Singapore are affected by the password theft which was reported early on Wednesday. Government agencies here are also on alert to detect possible unauthorised access to government systems and data.

A New York Times report quoted US-based firm Hold Security as saying a gang called "CyberVor" had stolen usernames and passwords from around 420,000 websites. While the websites were not named, some of them are believed to be major brand names.

"Businesses and individuals are urged to take the necessary precautions to enhance their cyber security," said the SingCERT spokesperson. "Simple measures like changing passwords regularly and using strong and different passwords for sites that contain sensitive information like financial, health or credit card data are advised."

LOCAL IMPACT

Despite SingCERT's initial response, it is likely users and websites in Singapore may have been affected, cybersecurity experts told TODAY.

“With 1.2 billion accounts and 420,000 websites affected, almost all Web users would be affected in some way and it would be reasonable to assume some would be in Singapore,” said Mr Bryce Boland, FireEye’s chief technology officer for Asia-Pacific.

Mr Anthony Lim, vice-chair of the Application Security Advisory Board at not-for-profit association for information security professionals ISC2, concurred. “Given the horrendously large amount of account information stolen, the probability of some Singapore account holders’ credentials being in there is not zero. While it is not clear if Singapore account bases were targeted, nowadays, it is possible, given that many Singaporeans sign up for overseas-based e-services, including Facebook, we are not sure exactly which organisations’ account bases were stolen but it is quite doubtful that Singapore e-services or organisations were specifically targeted.”

The attack by the Russian hackers is the latest in a string of major cybersecurity breaches reported in the past year. Last December, Eastern European hackers stole about 40 million credit-card numbers from US retail giant Target.

"SECURITY SOLUTIONS NOT TOTALLY ADEQUATE"

Closer to home, the IDA revealed in June that 1,560 SingPass accounts had been compromised. Investigations revealed that no vulnerabilities in the system had been uncovered, said Minister for Communications and Information, Dr Yaacob Ibrahim, last month, adding that the Government would implement steps to tighten security for online services.

“The big questions is, in today’s world, where there is a nearly 20-year maturity of IT/network security solutions in place … ‘Why do such things continue to happen and in such scary mammoth proportions?’ It seems quite obvious that security solutions in place are still not totally adequate despite their maturity or there is a new loophole,” said Mr Lim.

Mr Boland added: “Singapore still has a long way to go in the fight against malware-based attacks. Regulators or Internet service providers here can implement technologies to detect and block malware on behalf of consumers — a method that has proved effective in Scandinavia.”

He suggested that Web users take steps to protect themselves by using different passwords for various sites.

Gartner’s principal research analyst Anmol Singh agreed that passwords need to be rotated more diligently. “Companies and websites also need to move away from the username-and-password-based model to a more multi-factored authentication that includes, for instance, biometrics.”

The private sector must also step up its efforts to strengthen defences against cybercrime, PwC’s IT Risk and Cybersecurity leader Tan Shong Ye cautioned.

“With the introduction of the Personal Data Protection Act, organisations are now legally required to implement adequate measures to secure personal data, failing which organisations and their officers, including directors, may be liable to fines and even criminal charges,” said Mr Tan.