MAS urges FSIs to tighten customer verification after SingHealth breach


The Monetary Authority of Singapore (MAS) has issued an urgent notice to financial institutions to bolster their customer verification processes in the wake of the SingHealth data breach.

More than 1.5 million individual records were illegally accessed by hackers in the SingHealth raid – Singapore’s biggest ever cyber breach to date. Of these, up to 160,000 people, including Prime Minister Lee Hsien Loong as well as a number of ministers, had their outpatient prescription information stolen.

MAS urged financial institutions to enforce strict verification measures before customer transactions are processed, making use of multiple authentication measures including one-time passwords, PINs, biometrics, and last transaction date or amount tests.

Singapore’s chief regulator further advised financial institutions to avoid using verification methods that rely solely on the types of information stolen in the SingHealth, among which include customer names, NRIC numbers, addresses, gender, race, and date of birth.

Tan Yeow Seng, Chief Cyber Security Officer at MAS said the regulator “will work closely with financial institutions to ensure that robust cyber defences are in place so that customers can carry out online financial transactions with confidence.”

However, he insisted “customers must also play their part” in safeguarding their passwords and practising good cyber hygiene. Tan also urged customers to immediately notify their banks if they suspect fraudulent transactions in their accounts.

Tan also advised FSIs to conduct a risk assessment of the SingHealth incident on their existing control measures for services offered to customers, including transaction and inquiry functions.

“Financial institutions are to take immediate steps to mitigate any risks that might arise from the misuse of the compromised information,” Tan said. MAS will engage financial institutions on their risk assessments and mitigation steps.”

Banks in Singapore are required to implement two-factor authentication (e.g. PIN and one-time passwords) at login to verify customers accessing online financial services. Banks must also implement an additional layer of control to authorise high-risk transactions.