Data Leak in DBS Bank and Bank of China, Data of thousands of Bank Customers leaked
Customer data from two major banks in Singapore – DBS Bank and Bank of China (Singapore) – was exposed in a cyberattack, but the good news is that login details and account security were not compromised. The data leak occurred due to a ransomware attack on Toppan Next Tech, a third-party company responsible for printing and sending paper statements and letters for both banks.
According to a joint statement released by the Cyber Security Agency of Singapore (CSA) and the Monetary Authority of Singapore (MAS) on April 7, the attackers may have accessed customer documents processed by Toppan between December 2024 and February 2025.
DBS reported that around 8,200 of its customers were potentially affected. Most of them were users of its brokerage service, DBS Vickers, and its short-term loan service, Cashline. The leaked information may include customer names, mailing addresses, and financial details related to their stock investments and loans.
However, sensitive data like login credentials, passwords, identity numbers (NRIC), deposit balances, or overall wealth information was not part of the compromised documents. DBS clarified that the files it sends to Toppan are encrypted, and it is not clear whether the hacker managed to decrypt them. As a precaution, DBS has suspended all printing operations with Toppan and increased monitoring of potentially impacted accounts.
Similarly, Bank of China said that approximately 3,000 customers were affected. The data potentially accessed includes names, addresses, and some loan account numbers. Both banks have notified affected customers and placed their accounts under enhanced surveillance to prevent misuse.
Toppan, in its own statement, confirmed that the cyberattack was random and affected its business operations at its Joo Koon Circle office. The company immediately blocked the hacker’s access point and is working with a forensic investigation team to understand how the attack happened. The firm also reported the breach to Singapore’s Personal Data Protection Commission (PDPC) on April 6.
CSA and MAS are actively supporting the investigation, guiding Toppan on how to contain the threat, and working with both banks to ensure strong risk controls are in place. Toppan’s managing director expressed deep regret over the incident and assured that a thorough security audit is underway to prevent such events in the future.
Though this situation is concerning, it is reassuring that bank systems remain secure, no unauthorized transactions have been detected, and customers’ money is safe. The affected parties are taking proactive steps to safeguard data and prevent any long-term damage.
