Ransomware Attack on Singapore Data Provider Exposes Policyholders’ Personal Information
A ransomware attack on DataPost, a Singapore-based data handling service provider, has compromised the personal information of at least 146 Income Insurance policyholders. The breach, detected on May 27, involved the unauthorized exfiltration of sensitive data, including names, postal addresses, policy numbers, plans, and 2024 annual bonuses.
DataPost, which processes over 40 million documents monthly for financial institutions, government agencies, and insurers, confirmed the attack on May 29 but stated that its investigation remains ongoing. The company, accredited by Singapore’s Infocomm Media Development Authority (IMDA) for its InvoiceNow e-invoicing network, handles critical document printing and mailing services, including those for Income Insurance.
The attack was first flagged by cybersecurity platforms RedPacket Security and HookPhish, which identified the threat group “direwolf” as responsible. The group allegedly deployed infostealers malicious software designed to extract data in a coordinated operation. While ransomware typically encrypts files for extortion, this incident involved data theft, raising concerns over potential misuse.
Income Insurance was notified of the breach on May 26 and immediately suspended all printing jobs with DataPost, reinforced firewall protections, and blocked connections to the vendor. The insurer stated there is no evidence of unauthorized access to its digital platforms but remains on “heightened alert” while working with authorities, including the Personal Data Protection Commission (PDPC) and the Cyber Security Agency of Singapore (CSA), to assess the full impact.
DataPost, which undergoes annual security audits by banks and third-party assessors, has pledged full compliance with regulatory obligations. Both companies are coordinating with affected policyholders, though the scale and severity of the breach are still under investigation. The incident underscores the risks faced by third-party service providers in handling sensitive financial and personal data.
DataPost TPRM report: https://www.rankiteo.com/company/datapostsg
Income Insurance TPRM report: https://www.rankiteo.com/company/incomeinsurance
"id": "datinc1772024501",
"linkid": "datapostsg, incomeinsurance",
"type": "Ransomware",
"date": "5/2025",
"severity": "100",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"{'affected_entities': [{'customers_affected': 'Financial institutions, '
'government agencies, insurers',
'industry': 'Document processing, printing, and '
'mailing services',
'location': 'Singapore',
'name': 'DataPost',
'type': 'Data handling service provider'},
{'customers_affected': '146 policyholders',
'industry': 'Insurance',
'location': 'Singapore',
'name': 'Income Insurance',
'type': 'Insurance provider'}],
'attack_vector': 'Infostealers',
'customer_advisories': 'Coordinating with affected policyholders',
'data_breach': {'data_exfiltration': True,
'number_of_records_exposed': '146',
'personally_identifiable_information': 'Names, postal '
'addresses, policy '
'numbers',
'sensitivity_of_data': 'High (names, postal addresses, policy '
'numbers, plans, annual bonuses)',
'type_of_data_compromised': 'Personal information'},
'date_detected': '2024-05-27',
'date_publicly_disclosed': '2024-05-29',
'description': 'A ransomware attack on DataPost, a Singapore-based data '
'handling service provider, has compromised the personal '
'information of at least 146 Income Insurance policyholders. '
'The breach involved the unauthorized exfiltration of '
'sensitive data, including names, postal addresses, policy '
'numbers, plans, and 2024 annual bonuses.',
'impact': {'brand_reputation_impact': 'Heightened concerns over third-party '
'service provider risks',
'data_compromised': 'Names, postal addresses, policy numbers, '
'plans, and 2024 annual bonuses',
'identity_theft_risk': 'Potential misuse of personal information',
'operational_impact': 'Suspension of printing jobs with DataPost'},
'investigation_status': 'Ongoing',
'motivation': 'Data theft',
'ransomware': {'data_exfiltration': True},
'references': [{'source': 'RedPacket Security'}, {'source': 'HookPhish'}],
'regulatory_compliance': {'regulatory_notifications': 'Personal Data '
'Protection Commission '
'(PDPC), Cyber Security '
'Agency of Singapore '
'(CSA)'},
'response': {'communication_strategy': 'Coordinating with affected '
'policyholders',
'containment_measures': 'Suspended all printing jobs with '
'DataPost, reinforced firewall '
'protections, blocked connections to the '
'vendor',
'enhanced_monitoring': 'Heightened alert',
'law_enforcement_notified': 'Personal Data Protection Commission '
'(PDPC), Cyber Security Agency of '
'Singapore (CSA)'},
'threat_actor': 'direwolf',
'title': 'Ransomware Attack on Singapore Data Provider Exposes Policyholders’ '
'Personal Information',
'type': 'Ransomware'}