SINGAPORE: The personal data of 5,400 AXA Insurance customers in Singapore was compromised in a cyberattack, according to an email the firm sent to affected customers.
In the email shared with Channel NewsAsia on Thursday (Sep 7), AXA data protection officer Eric Lelyon wrote that the stolen data included the email addresses, mobile numbers, insurance policy numbers and dates of birth of both past and present customers from its Our Health Portal.
No other personal data - such as the name, NRIC number, address, credit card, bank details, health status, claims history or marital status of customers - was stolen, he added.
Mr Lelyon wrote that "no further action" was required from affected customers as the information that was compromised was "not likely to, on its own, expose you to identity theft".
He warned customers, however, to be vigilant against phishing attempts for other personal details that could be linked to the cyber attack.
"In the unlikely event you feel that you may have inadvertently disclosed personal data as a result of a phishing attempt in the last few months, it is possible that this could be connected to this hacking incident, and if so, we urge you to file a police report. We also request that you reach out to us to let us know the details," Mr Lelyon wrote.
The French insurance company is taking the incident "very seriously" and has "taken all remedial actions to secure our Health Portal and to prevent a recurrence", he stated.
The firm has also filed a police report and is working closely with authorities, he added.
"We apologise to all our customers impacted by this incident. We wish to assure our customers that our Health Portal is now secure," said CEO of AXA Singapore, Jean Drouffe in a statement. "A thorough review of our IT systems is underway."
He added that most of the affected customers have been notified and that all remaining affected customers will be informed by Friday.
MAS ORDERS "THOROUGH REVIEW" OF AXA'S IT SECURITY
In response to Channel NewsAsia's queries, a spokesperson from the Monetary Authority of Singapore (MAS) said the authority has asked AXA to "initiate a thorough review of its IT security and to remediate control gaps".
"We understand that AXA has taken steps to address the vulnerability in its Health Portal. MAS takes a serious view of this incident and is investigating the matter," the spokesperson added.
The Personal Data Protection Commission (PDPC) told Channel NewsAsia it was aware of the AXA incident and was investigating the reported data breach.
"We understand that AXA has addressed the vulnerability in their system. Affected individuals should remain vigilant for suspicious emails that may be phishing attempts," a spokesperson said.
"PDPC expects all organisations to adopt sound security measures to safeguard personal data and will take firm action against organisations should there be any breach of the PDPA."
The Cyber Security Agency of Singapore said the incident was "a reminder that companies that collect and hold customer data are an attractive target for cyber criminals". "Hence, companies need to make the appropriate risk assessment, prioritise cybersecurity and adopt proactive measures to better protect themselves against cyber attacks," CSA said.
Last year, the personal data of 7,794 Aviva policyholders and their dependents was also breached when a printing firm hired by the insurance company sent out erroneous annual premium statements. The firm, Toh-Shi Printing Singapore, was fined S$25,000 by PDPC.