Ransomware attack on DataPost compromises personal data of 146 Income Insurance policyholders

SINGAPORE: Personal data belonging to at least 146 Income Insurance policyholders has been compromised following a ransomware attack on DataPost, a Singapore-based data handling service provider.

The incident, which was first reported on 27 May 2025 by cybersecurity platforms RedPacket Security and HookPhish, involved the use of multiple tools and infostealers by a threat group identified as “direwolf”.

The attackers reportedly carried out a data exfiltration operation, illegally transferring files from DataPost’s systems in what appeared to be a coordinated and sophisticated campaign.

According to state media CNA, DataPost confirmed on 29 May 2025 that it is still in the early stages of its investigation and cautioned that identifying the full extent of the breach “will take time to complete”.

The company is a major vendor handling document printing and mailing for government agencies, financial institutions, and insurers including Income Insurance.

Income suspends services with DataPost as bonus statements leak affects 146 policyholders

Income Insurance, in a separate statement, confirmed that its customers’ bonus statements were compromised.

The documents included sensitive policyholder details such as names, postal addresses, policy numbers, insurance plans, and annual bonuses for the year 2024.

The insurer was alerted to the breach on 25 May 2025 and immediately suspended all printing jobs with DataPost.

Connections to the company were also blocked and firewall protections reinforced as part of a set of emergency measures.

Income Insurance stressed that its internal systems remain secure and unaffected. There is currently no evidence of unauthorised access to its digital platforms.

“We believe in informing our policyholders promptly and empathise with the concern this incident may cause,” said Andrew Yeo, Chief Executive Officer of Income Insurance.

“We have taken swift action to safeguard our systems and suspended all printing jobs with DataPost. Our team is proactively contacting impacted and potentially impacted policyholders to inform them,” he added.

Income Insurance is currently monitoring for suspicious activity through enhanced surveillance protocols and is working closely with the relevant authorities and DataPost to determine the full scope of the data breach.

The firm has begun reaching out to affected customers, providing guidance and reassurance while also assessing the need for further protective measures.

According to its website, DataPost handles more than 40 million documents each month and provides e-invoicing and digital communication services to clients across Singapore and Malaysia.

The firm noted that its facilities are subject to annual audits by banks and independent auditors to ensure compliance with data protection and operational security standards.

It is also an accredited service provider under Singapore’s InvoiceNow programme, administered by the Infocomm Media Development Authority (IMDA), which facilitates e-invoicing for businesses and public agencies.

As the investigation continues, Income Insurance has issued a public advisory urging customers to be vigilant against phishing attempts and other scams that may arise from the leaked information.

Income Insurance’s policyholders are advised to remain alert to potential phishing schemes. They should not share login credentials or one-time passwords (OTPs), avoid clicking on suspicious links or scanning unfamiliar QR codes, and access their policy details only via verified channels such as the Income website or official apps.

In cases of suspected scams, customers are urged to call 6788 1777 or the National Anti-Scam Hotline at 1800-722-6688. Suspicious numbers can also be reported via the ScamShield app.

HomeTeamNS hit by ransomware attack in Feb 2025

In March, HomeTeamNS reported that some of its servers were affected by a ransomware attack, which was discovered on 25 February.

The affected servers contained data belonging to employees and former employees, as well as vehicle details of some members and affiliate members.

HomeTeamNS serves over 260,000 NSmen, providing sports and recreational facilities across four clubhouses, along with food and beverage outlets.

In April, another ransomware attack on printing vendor Toppan Next Tech has exposed customer data from DBS and Bank of China, Singapore.

While no login information was breached, over 8,000 DBS customer documents may have been compromised.

Ransomware attacks typically involve threat actors encrypting files on servers and demanding ransom in exchange for unlocking them.

Follow us on WhatsApp

Follow us on Telegram