Nearly 79,400 MyRepublic mobile subscribers were affected by the data breach and the data stolen were documents that were used for verification during the application process for mobile services.
The data was stored on a third-party data storage platform and was accessed without permission on 29 August 2021. The unauthorised access to the data storage facility has since been secured, and the incident has been contained. MyRepublic says no other personal information is believed to have been stolen.
The incident has since been reported to the Personal Data Protection Commission and the Infocomm Media Development Authority. A cyber incident response team, which includes a team of external expert advisors such as KPMG in Singapore, has also been activated to work closely with MyRepublicβs internal IT and Network teams to resolve the incident.
The affected data includes:
- For affected Singapore citizens, permanent residents and employment and dependent pass holders β scanned copies of both sides of NRICs – this includes name, address, date of birth, gender, race, place of birth, full NRIC number, photograph, thumbprint, date of card issue and (for employment passes and dependant passes) employer and nationality;
- For affected foreigners β proof of residential address documents (e.g. scanned copies of a utility bill, tenancy agreement or insurance policy), including name and address; and
- For affected customers porting an existing mobile service β name and mobile number.
While there is no evidence that any personal data has been misused, affected customers are advised to:
- Keep an eye on your financial and other accounts for suspicious activity, such as unauthorised transactions and changes to account details, and notify your bank as soon as possible if you notice any such activity;
- Check with Singapore Post that your mail has not been redirected if you find you are not receiving mail, and secure your letterbox (fraudsters sometimes redirect or steal mail to avoid detection);
- Contact MyRepublic if you receive an unsolicited number port request (fraudsters sometimes attempt to port mobile numbers to obtain access to SMS authentication messages); and
- Notify the relevant seller or service provider as soon as possible if you receive goods or services that you did not order or notifications about goods or services that you did not order.
- Be wary of anyone contacting you who requests personal data or access credentials from you, even if they appear to know other details about you;
- Not respond to email or SMS messages asking for personal data (few legitimate organisations will ask for personal information by email or SMS); and
- Be careful of unsolicited telephone calls which purport to be from a government authority or business (if you think the call is genuine, hang up and call the authority or business back on their public telephone number).
All affected customers were also offered to take up a complimentary credit monitoring service through Credit Bureau Singapore. Under this service, CBS will monitor their credit report and alert them of any suspicious activity. They may take up the offer by filling up a form HERE.
