StanChart reports theft of 647 private bank clients' statements

StanChart reports theft of 647 private bank clients' statements

    By Wong Siew Ying and Kimberly Spykerman
    POSTED: 05 Dec 2013 20:11
    UPDATED: 05 Dec 2013 23:09

Standard Chartered Bank said it has been notified by the police of the theft of 647 of its private bank clients' monthly bank statements.

SINGAPORE: Standard Chartered Bank Singapore (StanChart) said it has been notified by the police of the theft of 647 of its private bank clients' monthly bank statements for February 2013.

But the bank assured clients that it has not found any unauthorised transactions resulting from the incident.

Banking regulator the Monetary Authority of Singapore (MAS) said on Thursday it would consider if regulatory action against StanChart is warranted.

StanChart Private Bank caters to high net worth individuals with investable assets of over US$2 million.

The bank said on Thursday there was a theft of monthly statements for February this year for 647 of its clients.

It said the theft occurred through a server of a third-party service provider, Fuji Xerox Singapore, which prints statements for its private bank clients.

It is understood that Fuji Xerox acts for only one other non-bank financial institution in Singapore.

In a statement, StanChart's CEO Ray Ferguson said the confidentiality and privacy of its clients are of paramount importance, and it takes the incident very seriously.

The bank also confirmed that its IT and data security systems were not compromised, based on investigations to-date.

In response to Channel NewsAsia queries, StanChart said it has currently suspended Fuji Xerox's services for the purpose of ongoing investigations.

The bank said it has taken immediate steps to further enhance its data security and procedures, including a full review of the security controls of relevant outsourcing relationships.

As a precaution, StanChart said it is contacting private banking clients who have been affected.

It stressed that all of its wholesale banking clients, small and medium enterprises (SMEs) and retail customers are not affected in the incident.

Meanwhile, a forensic team is conducting a review at Fuji Xerox.

The company said there was unauthorised access to a server dedicated to StanChart Private Bank in a standalone printing facility.

But there was no impact on the data of customers on any other systems.

MAS said the incident is an isolated case, but it underscores the need for financial institutions to be more vigilant, including "close management of risks relating to service providers".

In a strongly-worded statement, the central bank said it will review StanChart's investigation report and consider if regulatory action is warranted against the bank.

The regulator added that it is paying "special supervisory attention to financial institutions' compliance with MAS' requirements for IT outsourcing".

The incident is now under police investigation.

Singapore Police said in a statement on Thursday evening that in the course of investigations, police discovered that files containing data on StanChart bank clients were found in a laptop seized from James Raj Arokiasamy.

Police confirm that StanChart had lodged a report on Monday, December 2.

A cybersecurity expert that Channel NewsAsia spoke to said the breach could have been the result of a service lapse.

Anthony Lim, member of the Application Security Advisory Board, said: "Typically when a highly sensitive organisation like a bank outsources such services, especially highly sensitive data like private bank records to a service provider, there is something known as a service level agreement, or SLA, which obliges the third party service provider to maintain the same level of security that the bank should have.

“The parties involved are big names, so I'm sure the SLA was in place. So somewhere along the way there must have been a service lapse -- somebody must have slipped or forgotten something, allowing the breach or compromise."

Mr Lim said he was certain that consumer confidence would not be affected by the incident.

But he added: “By tomorrow, all the banks in the country will be looking at their SLAs and upgrading their SLAs and calling third party service providers for meetings to ensure such things don't happen and that any service lapses, protocol lapses are fixed immediately.”

- CNA/gn

- wong chee tat :)