Another day, another IT firm in Singapore with lax security protocol which has no encryption on their stored files got hacked. Whizcomm Singapore got hacked and my personal information got stolen. A review of Whizcomm handling of the security breach. (This article will be an ongoing update – There’s no update since the very first email 10 May). Straits Time reported that 50% of customers was affected.

Whizcomms Singapore got hacked – my personal info got stolen

Below is the letter from their managing director on the security breach/hack.

Dear XXXX,

It has come to our attention that a third party had gained unauthorized access to our company’s web server. Some of our customer’s personal information has been downloaded by the third party. The personal information downloaded are the scanned image of identification documents such as NRIC, Work Permit, and Tenancy Agreement that you have provided to us.

I regret to inform you that your personal information was among those that have been downloaded. I would like to personally apologize for this incident and we are deeply disappointed with the events thadt have taken place. However, we want to assure you that the unauthorized access has been immediately contained since. We are working with the respective authorities namely Singapore Police Force, Personal Data Protection Commission and Infocomm Media Development Authority, and are strengthening our safeguards to prevent such attempts again.

There is no indication that other personal information, such as your contact information and payment information, were involved. However, do look out for any suspicious activities that may use your identity for other services. You may contact the police should you discover such activities.

With scam calls and fraudulent activities already on the rise, we recommend that you continue to be vigilant, especially for any potential signs of identity fraud.

If you require further clarifications, you may call us at 9648 2460 during our operating hours or email us at [email protected].

Sincerely,
Chiang Chee Cheong
Managing Director

Whizcomms security breach and protocol

Few things did not surprise me, I could still log in to my account. It was never protected with 2FA. So can the person(s) who got my info login by asking for change of password? or Bruteforce? If the front end has such lax security, what about their backend? Do they use 2FA across their entire login system? Is there a policy in place to change passwords especially for their webserver. I am very curious to know.

They never apologise they had a lax security, no 2FA, no encryption of our personal data. How would they know it’s contained? What protocol have they taken to protect unauthorised use of that data to ask for more information from Whizcomm – credit card details? Just saying you have taken steps is not enough!

As of 11 May, Whizcomm website (image grab above) still did not publicly admit to that their system has been hacked. This is appalling and lack of transparency as a company dealing with IT.

The did not mention all the documents type that was stolen (but some). They did not mention which part or where that leak is from – finance? HR? Billings? Or its just that their system is messed up.

Weird thing, one cannot remove one’s credit card from the system unless you replace with another one. Imagine if someone is able to use our details to login to our account.

Is Whizcomms trustable?

On Whizcomm website, like many other standard T&C use by other companies, they said:

We have implemented stringent measures and safeguards in protecting your information.  These include:

• Systems and work procedures to prevent and detect frauds and crimes
• Conduct internal audits
• Ensure the safety and security of our properties and systems
• Conduct checks against money laundering, terrorism financing, and related risks

This policy may be amended from time to time to ensure it is consistent with any new developments in WhizComms’ use of your personal data or changes to any legalities in force. The updated policy will be available on our website www.whizcomms.com.sg and all business dealings and communications with us shall be subject to the latest version of this policy.https://whizcomms.com.sg/pdpa/

So how was their internal audit done, and when was it done? Obviously, their system could not detect the crime or “hack”. No information was provided on how this hack came about.

I would never trust Whizcomms again, because this should not have happen. And time to replace credit card with disposable credit card numbers from Revolut. Read more about Revolut here.

Other Telco in possible similar boat

SIMBA also does not have 2FA login, is their backend safe? Not sure. Any system online that does not even remotely use 2FA or some form of two-factor autentication tells us how much their back end solution or how much they care about security.