SIAS cuts member database access in new website

It will launch the website on 28 July.

The Securities Investors Association of Singapore (SIAS) will launch a new website without access to its member database on 28 July following a data breach that hit its 70,000 members.

According to a press statement, it will also discontinue any access of the membership database to and from the internet. “It will be on a standalone system (the system is currently offline and not accessible). We are also exploring additional security measures for access to the database,” the group added.

A data breach hit 70,000 members of the SIAS in 2013, leaking their names, NRIC numbers, and telephone numbers. However, they were only informed by the Cyber Security Agency (CSA) on 25 July 2018.

“The breach could have potentially occurred through access of the database from the SIAS membership login page from our website. This could have been done by means of an SQL injection,” SIAS said.

This means that a code could have been injected into the username field, and it would have returned information from the database.

“We are currently working with our IT vendor to investigate the breach and work towards securing our system,” SIAS added. The group has also taken down its current website and started scrubbing for any malware before doing data migration.

SIAS, since 2013, has not received any feedback or information from members that the hacking has adversely impacted on them. “Notwithstanding, we apologize for the service disruption and for any distress that the breach may have caused that is not yet known,” the group added.

Matt Winter, vice president of marketing and business development of intelligence and analytics platform LogRhythm, commented, “The SIAS breach is a clear example that organisations are under the false impression that they are not under threat when in reality, they didn’t know they were breached. That is worrying and that needs to change because we simply must do better.”