SingHealth cyberattack: MAS orders financial institutions to tighten customer verification

SingHealth cyberattack: MAS orders financial institutions to tighten customer verification

File photo of the logo of the Monetary Authority of Singapore at its building in Singapore

SINGAPORE: The Monetary Authority of Singapore (MAS) said on Tuesday (Jul 24) it has instructed all financial institutions to tighten their customer verification process, following the SingHealth cyberattack.

Last month, cyberattackers stole 1.5 million SingHealth patients’ records in what was deemed by the Ministry of Health and Ministry of Communications and Information to be the "most serious breach of personal data” in Singapore’s history.

The 1.5 million individuals had their non-medical records – including their name, NRIC, address and date of birth – illegally accessed and copied in the cyberattack. About 160,000, including Prime Minister Lee Hsien Loong, also had their dispensed medicines records taken.

READ: Singapore health system hit by ‘most serious breach of personal data’ in cyberattack; PM Lee's data targeted

“With immediate effect, all financial institutions should not rely solely on the types of information stolen (name, NRIC number, address, gender, race, and date of birth) for customer verification,” MAS said in a statement.

“Additional information must be used for verification before undertaking transactions for the customer. This may include, for instance, One-Time Password, PIN, biometrics, last transaction date or amount, etc.”

READ: Did authorities respond fast enough to Singapore’s worst personal data breach?

MAS added it has also directed all financial institutions to conduct a "risk assessment of the impact of the SingHealth incident on their existing control measures for financial services offered to customers, including transaction and inquiry functions".

"MAS will work closely with the financial institutions to ensure that robust cyber defences are in place so that customers can carry out online financial transactions with confidence," said MAS’ chief cybersecurity officer Tan Yeow Seng.

On Tuesday evening, OCBC Bank said in a statement that it already has "a set of rigorous authentication measures" to validate a customer's identity before proceeding with a request. 

"However, to combat the risks arising from the SingHealth incident, we have further enhanced our customer verification process to prevent any unauthorised financial transactions," said Ms Koh Ching Ching, head of group corporate communications at OCBC. 

UOB said as well that it has robust policies, processes and practices in place to safeguard customers against any unauthorised access.

"We are committed to protecting our customers from cybersecurity threats. We remain vigilant and are constantly monitoring developments and enhancing our systems to ensure that we detect and respond to potential cybersecurity risks and threats promptly," a UOB spokesperson said.

"We remind our customers that UOB does not send unsolicited SMS or emails asking them to provide their personal or account details," the spokesperson added. 

In a statement, DBS said that it uses "industry-leading security technology and protocols" to ensure that its customers' information and money are safe.

"Banking security is of foremost concern to us," a DBS spokesperson said.

"We also constantly monitor credit/debit card transactions in real time for any suspicious activities.

"Following news of the SingHealth data breach, we immediately enhanced our customer verification measures used for customer phone queries. We have also been urging customers to be on the alert for scam calls or phishing emails," the spokesperson added. 

READ: SingHealth cyberattack: What you need to know

The attack has prompted healthcare institutions to step up security measures and sparked a Government probe into the incident.

MAS' Mr Tan also said that customers have to do their part by safeguarding their passwords and practising good "cyber-hygiene". 

"If they suspect any fraudulent transactions in their accounts, they should notify their banks immediately," he said.

Source: CNA/ec(hm)/hs(aj)