MAS warns stolen SingHealth data could be used in bank fraud

Financial institutions are discouraged from relying on the stolen information for customer verification.

The Monetary Authority of Singapore has urged financial institutions to tighten customer verification processes in light of the recent cyberattack at government public health database SingHealth wherein the personal information of 1.5 million individuals including the Prime Minister were illegally accessed. 

All financial institutions are discouraged from relying on the information stolen from the attack (name, NRIC number, address, gender, race and birth date) for verifying customer identities. Additional information like One-Time password, PIN, biometrics and last transaction date is needed before transactions can be performed on behalf of the customer, the de-facto central bank said in a statement.

“MAS has also directed all financial institutions to conduct a risk assessment of the impact of the SingHealth incident on their existing control measures for financial services offered to customers, including transaction and inquiry functions,” it added.

Customers should also remain vigilant by safeguarding passwords, notifying banks in case of suspicious activity and practising good cyber hygiene, added Tan Yeow Seng, MAS chief cybersecurity officer.

On its part, OCBC is working overtime to tighten its customer verification process in line with the directive. “We have in place a set of rigorous authentication measures to validate our customer’s identity before proceeding with the request. However, to combat the risks arising from the SingHealth incident, we have further enhanced our customer verification process to prevent any unauthorised financial transactions,” said Koh Ching Ching, head, group corporate communications at OCBC Bank.

"At UOB, we are committed to protecting our customers from cybersecurity threats. We remain vigilant and are constantly monitoring developments and enhancing our systems to ensure that we detect and respond to potential cybersecurity risks and threats promptly," a UOB spokesperson said.

The spokesperson added that customers should also work with banks in safeguarding data.

"We remind our customers that UOB does not send unsolicited SMS or emails asking them to provide their personal or account details."