BACKGROUND 

On 6 April 2025, a ransomware attack hit Toppan Next Tech (Toppan), a printing vendor servicing DBS Bank (DBS) and Bank of China Singapore (BOC). While no direct bank systems were breached, the exposure of personal data from over 11,000 customers underscores how supply chain weaknesses can undermine even the most secure institutions. 

 

1. Outsourcing/Third-Party Risks: The Weakest Link in Cybersecurity 

Banks invest heavily in securing their own systems, but their outsourcing partners, often with less stringent protections, can become easy targets. In this case, attackers infiltrated Toppan’s operations, accessing customer statements containing names, addresses, and transaction details. Though no passwords or NRIC numbers were leaked, the breach still poses phishing and social engineering risks. 

This incident mirrors past global breaches (e.g., the 2020 SolarWinds hack) where attackers exploited infrastructure weaknesses at outsourced vendors to infiltrate their customers which are often large organizations. Financial institutions must enforce stricter cybersecurity requirements for IT vendors, including real-time monitoring and mandatory breach simulations, as stated in various regulations and guidelines. 

 

2. Rapid Response Mitigates Damage—But Questions Remain 

The banks and authorities reacted swiftly: 

• DBS & BOC suspended printing with Toppan and enhanced account monitoring. 

• CSA and MAS stepped in to assist investigations. 

• Toppan claims it cut off the attacker’s entry point and hired forensic experts. 

However, key questions linger: 

• Was data exfiltrated or just encrypted? If stolen, it could resurface in future scams. 

• Why were printed statements not further secured? DBS sent files encrypted, but if hackers gained access to Toppan’s internal systems, they could have intercepted decrypted files during printing. 

• How long was Toppan compromised before detection? Early warnings could have reduced exposure. 

 

3. Regulatory and Customer Trust Implications for FIs 

Singapore’s strict personal data protection laws (PDPA and subsidiary regulations) mean Toppan could face penalties if negligence is found. However, DBS and BOC cannot absolve themselves of accountability, even if the breach occurred at a vendor. Financial regulations pertaining to outsourcing clearly state that FIs are expected to manage outsourcing risks, a major one being the handling of customer data. This incident could have legal, financial, and reputational repercussions for DBS and BOC if investigations reveal lapses in their vendor risk management. 

 

4. Conclusion: A Wake-Up Call for Supply Chain Security 

This breach is a reminder that cybersecurity is only as strong as the weakest link be they internal or external deficiencies. While Singapore’s financial sector generally has robust cybersecurity defences, this incident – which is not the first to hit DBS and other major organisations in Singapore – is a reminder that external vendors handling sensitive customer data remain a critical risk for all FIs.  

FIs must treat third-party cybersecurity as an extension of their own, or face recurring breaches and heavy penalties, in addition to possible customer exit. 

 

WHAT’S NEXT?  

Managements of FIs should: 

1. Review and assess the cybersecurity controls of third parties handling personal data. 

1. Align all third party service agreements with MAS Guidelines on Outsourcing.  

1. Conduct internal audits / joint tests with third parties on their cybersecurity measures and protection of personal data, or require recognised cybersecurity certifications. 

And more… 

HOW CAN WE HELP? 

The FooKonTan LLP group (FKT) and Capital Governance (S) Pte Ltd (CG) received the Cybersecurity Certification – Cyber Trust mark (CTM) issued by the Cybersecurity Agency of Singapore in December 2024. The CTM received by FKT and CG is that of a Cyber Trust Certified Advocate, which is the highest tier (Tier 5) status for cyber security infrastructure by an organisation in Singapore. This is a critical validation of our cybersecurity management, and directly relevant to our outsourcing services to FIs 

 

Contact Us today to discuss how we can provide the risk and compliance advisory solutions for you. Find out more here.