AXA Insurance revealed it suffered a data breach that compromised the personal data of 5,400 policyholders in Singapore, including both past and current customers. In an email sent to affected customers on Thursday (7 September), AXA data protection officer Eric Lelyon said the breach affected users of its health portal.
The compromised data includes customers' email addresses, dates of birth and mobile numbers, Singapore's The Straits Times reported. Other sensitive and personal data such as customers' names, NRIC number, address, financial details, health status, claims history and marital status were not exposed in the breach.
AXA Singapore CEO Jean Drouffe apologised for the breach and said the firm's online Health Portal "is now secure". The company has not specified when or how the attack took place or when it was discovered.
"A thorough review of our IT systems is underway. No financial or health data was compromised," Drouffe said, noting that the data compromised in the breach is "not likely to, on its own" lead to identity theft.
However, customers have been advised to be wary of possible phishing attempts following the breach to trick users into divulging additional personal data.
"In the unlikely event you feel that you may have inadvertently disclosed personal data as a result of a phishing attempt in the last few months, it is possible this could be connected to this hacking incident, and if so, we urge you to file a police report," Lelyon said.
AXA has said it is taking the incident "very seriously" and has initiated "all remedial actions" to secure its health portal and prevent any future attacks.
The French insurance giant has filed a police report and is working closely with local authorities and law enforcement regarding the incident. Singapore's Personal Data Protection Commission (PDPC) said it is aware of the incident and is conducting an investigation as well.
"We understand that AXA has addressed the vulnerability in their system. Affected individuals should remain vigilant for suspicious emails that may be phishing attempts," a PDPC spokesperson told Channel NewsAsia. "PDPC expects all organisations to adopt sound security measures to safeguard personal data and will take firm action against organisations should there be any breach of the PDPA."
The Monetary Authority of Singapore (MAS) has asked the company to conduct a thorough review of its IT security and address any security gaps.
"We understand that AXA has taken steps to address the vulnerability in its Health Portal. MAS takes a serious view of this incident and is investigating the matter," a MAS spokesman said in a statement.