More than 11,000 banking customers in Singapore have exposed their personal data after a ransomware attack hit a printing vendor working with DBS Bank and Bank of China (Singapore). While your login information and banking credentials were not compromised, the incident has raised concerns over data privacy and vendor security.
According to a joint statement from the Cyber Security Agency of Singapore (CSA) and the Monetary Authority of Singapore (MAS) on April 7, the attack targeted Toppan Next Tech, a third-party vendor used by both banks to print and send physical letters to customers.
What happened, and who is affected?
The attack affected approximately 8,200 DBS customers and around 3,000 Bank of China customers. The stolen information came from printed customer statements and letters sent between December 2024 and February 2025. DBS’s affected customers are mainly those using the brokerage service DBS Vickers or the Cashline short-term loan facility.
The type of data exposed includes your name, mailing address, and information related to your investments or loan details. However, DBS confirmed that sensitive information like passwords, login credentials, National Registration Identity Card (NRIC) numbers, deposit balances, or total wealth holdings was not part of the breach.
Bank of China reported that the data may include names, addresses, and loan account numbers in some instances. Like DBS, they stressed that your funds and bank systems remain safe and unaffected.
Vendor breach and bank response
The printing company Toppan Next Tech was the entry point for the attackers. Toppan confirmed in a separate statement that its site at Joo Koon Circle was the target of a random ransomware attack affecting its business operations. The firm said it quickly cut off the hacker’s access point and has since been monitoring the situation closely.
Toppan also engaged a professional forensic investigation company to examine the scale and cause of the breach. Its managing director, Chia Yan Heng, expressed regret over the incident and apologised for the concern it caused the clients. He said the company is currently conducting a security audit of all systems to ensure the highest data protection standards in the future.
In response to the breach, DBS stated that customer documents were sent to Toppan as encrypted files. It is still unclear if the attackers managed to decrypt these files. The bank has since stopped all printing activities with Toppan and raised its monitoring of affected accounts to detect any unusual activity. Affected customers are also being contacted directly.
Authorities and banks taking extra precautions
The CSA and MAS have said they are actively investigating the breach. CSA is helping Toppan manage containment efforts and is working closely with the vendor. MAS is keeping in contact with the banks to ensure that proper security steps are being taken.
Additionally, both DBS and Bank of China have placed the affected accounts under enhanced monitoring and have begun reaching out to those whose data was exposed. Toppan reported the incident to the Personal Data Protection Commission (PDPC) on the evening of April 6.
While your money remains secure, the incident reminds us of the risks that can come from third-party service providers. If you are a bank customer and receive printed statements or letters, you should be extra cautious and stay alert to any unusual activity or mail.
