Cyber Incident Victim: ST Telemedia Global Data Centres
Date:
Sep 2021
Location:
Singapore
Summary
Hackers obtained login credentials for customer service portals operated by a Singapore-based data centre operator and its Chinese affiliate, compromising email addresses and passwords for over 1,000 and 3,000 individuals respectively. The stolen credentials enabled unauthorized access to customer-support websites and potential phishing campaigns targeting high-level corporate personnel. The operator confirmed no data loss or operational impact occurred, attributing the breach to a third-party cloud-hosted ticketing tool segregated from critical infrastructure. Mitigation included forced password resets, two-factor authentication, and security hardening after detecting renewed attack attempts. The Chinese affiliate described subsequent incidents as isolated events involving outdated credentials rather than systemic vulnerabilities.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
In September 2021, hackers obtained login credentials—email addresses and passwords—for customer service portals operated by ST Telemedia Global Data Centres (STT GDC) and Chinese data center operator GDS. Cybersecurity firm Resecurity discovered the stolen data caches that month, identifying compromised credentials for over 1,000 individuals at STT GDC and more than 3,000 at GDS, including employees and customers. The breach affected approximately 2,000 customers collectively, including major multinational companies. STT GDC acknowledged being notified in September 2021 about a purported list of user credentials circulating on the dark web and took immediate action, including internal investigations and engagement of external cybersecurity providers. The compromised system was identified as a third-party cloud-hosted customer service ticketing tool used for non-critical requests like delivery bookings, which STT GDC confirmed had no connection to corporate systems or critical infrastructure. No unauthorized access or data loss was observed from this system during initial investigations. Meanwhile, hackers maintained access to the stolen credentials for over a year, using them to impersonate authorized users on customer portals as recently as January 2023, according to Resecurity’s findings.
In January 2023, STT GDC received additional notifications about threats to customer portals in India and Thailand, prompting further reviews that again indicated no data loss or operational impact. Both STT GDC and GDS enforced mandatory password resets that month after detecting continued attacker attempts to exploit old credentials. Following these resets, hackers listed the databases for sale on dark web forums in English and Chinese. STT GDC implemented supplementary security measures including two-factor authentication and infrastructure hardening, asserting that unauthorized portal access was no longer possible and emphasizing the segregation of critical data center systems from customer-facing applications. GDS faced additional exposure from compromised surveillance camera credentials—over 30,000 devices—many secured with weak default passwords like “admin12345.” A GDS spokesperson characterized a January 2023 incident as isolated, attributing it to a single customer’s failure to reset an ex-employee’s account password rather than a systemic vulnerability. Both firms maintained that their core data center operations remained unaffected throughout the incident.