Ransomware attack on Singapore vendor DataPost exposes data of income insurance customers

A ransomware attack targeting Singapore-based data handling firm DataPost has compromised the personal information of at least 146 policyholders of Income Insurance, the insurer confirmed on May 29. The breach involved unauthorized access to bonus statements that contained sensitive customer data, including names, postal addresses, policy numbers, policy plans, and annual bonuses for the year 2024.

Income Insurance stated that it was notified of the incident on May 25 and promptly halted all printing operations with DataPost, the vendor responsible for mailing policyholder documents. Additional precautionary measures included blocking all digital connections to DataPost and tightening firewall defenses to mitigate further risk.

The attack, which was first flagged by cybersecurity sources RedPacket Security and HookPhish on May 27, was reportedly orchestrated by a threat group known as "direwolf." According to RedPacket Security, the attackers used multiple malicious tools, including infostealers, in what appears to be a coordinated effort to exfiltrate data. DataPost acknowledged that it is in the early stages of investigating the breach and warned that a full assessment will take time to complete.

Income Insurance emphasized that its internal systems remain secure and that there is currently no indication of unauthorized access to its digital platforms. The insurer has reached out directly to affected and potentially affected customers and remains on heightened alert to detect any suspicious activity related to its accounts or infrastructure.

In a statement, Income Insurance CEO Andrew Yeo assured policyholders that their privacy remains a top priority. “We believe in informing our policyholders promptly and empathise with the concern this incident may cause,” Yeo said. The insurer is also working closely with DataPost and relevant authorities to determine the full scope of the breach.

Singapore’s Personal Data Protection Commission (PDPC) and the Cyber Security Agency have launched investigations into the incident. The PDPC confirmed it is looking into the matter, while the Cyber Security Agency has offered support to DataPost and is closely monitoring developments.

DataPost, a major provider of document processing and electronic invoicing services, handles over 40 million documents each month. It services a wide range of clients including government agencies, telecommunication companies, and financial institutions in Singapore and Malaysia. The firm is also the accredited provider for InvoiceNow, a national e-invoicing network operated under Singapore’s Infocomm Media Development Authority (IMDA).

Despite the scope of its operations, DataPost has yet to disclose whether other clients beyond Income Insurance were affected by the attack. The company stated that it takes data security seriously and is cooperating fully with authorities. “We will continue to take all necessary steps to address this situation,” a spokesperson said.