Three experts share their views on the current cyber-talk of the town, painting a picture of hungry hackers stalking complacent merchants.
Users of the Eatigo platform are always eager for time-based epicurean bargains, but 2.8m of them got more than they bargained for, when their 2019 personal data (name, email address and phone number) was illegally accessed by hackers.
Similarly, 1.1 million RedMart users’ 18-month old data were declared last week to be have leaked—signs of careless integration into Lazada’s infrastructure when RedMart was acquired by Lazada.
Both companies made futile assurances that the data exposed were from old databases that were no longer in use. Yet data protection laws already cover this scenario. Should companies be responsible for data like these? What can customers do to protect themselves?
To make matters more embarrassing, it was only when the stolen data was publicly made available for sale on the Dark Web did the incumbent organizations admit to knowledge of the breach—under intensive queries by the media.
Investigations are under way at this moment, and the jury is still out on what went wrong, but CybersecAsia received three experts’ views that may help us understand how breaches of this size are still happening.
Hackers are agile and hungry
According to Stephan Neumeier, Managing Director (Asia Pacific), Kaspersky, as we increase our reliance on online shopping, e-commerce and booking platforms will continue to be a prime target for hackers as they often contain a wealth of customer data.
While it is unfortunate that both incidents occurred so close to each other, the key takeaway from this is that cybercriminals do not look at auspicious timings before acting—the moment they detect any vulnerabilities in your system, they will take immediate action to exploit it.
“With a single data breach costing over US$1 million on average for businesses in Southeast Asia, businesses stand to lose an additional US$186 million in business opportunities in the aftermath of a data breach. While it is heartening that our data found that 84% of Southeast Asian businesses have made plans to increase their budget in IT security, there remain significant gaps when it comes to IT infrastructure hosted by third parties, as well as challenges pertaining to the migration of more advanced and complex technology environments,” Neumeier said.
In these two examples, endpoint security solutions and employing a proper IT migration protocol would have helped the two businesses minimise the occurrence of data breaches. For example, endpoint security solutions are often understood as the first layer of defence, and they can help prevent unauthorised access into your IT system.
On another note, businesses should also not get too carried away by the process of digitalization – constant upgrades and shifts to new operating systems may result in added efficiencies and greater convenience to your business operations and customers—but the new systems need to be properly integrated with your existing ones, or there must be policies in place to ensure that data is no longer stored on your legacy infrastructure, Neumeier reiterated.
All retained data is at risk
The two data leak incidents are “hardly surprising” to Synopsys Software Integrity Group’ Jonathan Knudsen, a Senior Security Strategist.
“They are a continuation of the parade of data leaks we’ve seen over the past few years. What can ordinary people do? Consumers do not have much individual power. We would like to strongly encourage companies to be scrupulously careful about their cybersecurity, to safeguard your information as carefully as you do. In the absence of collective action, or strong legislation, consumers are mostly on their own. The best you can do is recognize this reality and take steps to protect yourself. Given the sheer number and volume of data breaches, every consumer should assume that at least some of his or her personal information is available to cybercriminals,” Knudsen opined.
A third expert, also from Synopsys, said that data retention and archival processes should be part of any digital privacy and cybersecurity plan. “While it’s reasonable to presume that attackers prefer to access current transaction information, there is always value to be found in looking at older data. This is one reason why Section 25 of Singapore’s PDPA exists,” said the firm’s Principal Security Strategist Tim Mackey.
Businesses should look at all retained data as contributing to business risk, with personal data having some of the highest risk. So, while it might be tempting to look at historical data as valuable for data mining and profiling activities, careful attention should be paid to the type of data used in such analysis, said Mackey. “For example, should data archives have a copy of user passwords—even if the password is encrypted? Has the anonymization process been reviewed to ensure the remaining data can’t be combined with third-party data sources to reconstruct the original data? Combining data from multiple sources is an example of something that cybercriminals might do to increase the value of the data they steal.”
Taking control into our own hands
With this in mind, Knudsen recommends consumers to be highly-skeptical of unsolicited emails or phone calls, even when the caller seems to know information that only a legitimate organization would know. In addition, follow these three tips:
- Never, ever provide passwords, government identification numbers, account numbers, or other sensitive information in response to unsolicited communications.
- Ask to call back anyone asking for such information. Independently verify that the request is valid before taking any action you will regret later.
- Use two-factor or better still, multi-factor authentication for any sensitive services. This minimizes the risk of an attacker using your stolen credentials in a credential-stuffing attack.
Kaspersky’s Neumeier recommends that consumers inculcate a sense of responsibility on how they handle their personal and corporate data inside their home networks. Likewise, companies should beef up their defenses to keep their corporate and customers data safe. He offers these best practices:
- Employ training and activities that will educate employees about cybersecurity basics.
- Regularly remind staff about how to deal with sensitive data, such as storing it only in trusted cloud services with authentication switched on, and not sharing it with untrusted third parties.
- Enforce use of legitimate software downloaded from official sources.
- Backup essential data and regularly update IT equipment and applications to avoid unpatched vulnerabilities that can become a reason of a breach.
- Use a dedicated endpoint product that demands minimum management allowing employees to do their main job but protect them from malware, ransomware, account takeover, online fraud, scams and other suspicious hacker exploit.
For major e-commerce companies handling millions of data, Kaspersky suggests that they provide their Security Operations Center team with access to the latest threat intelligence, and stay up-to-date with new and emerging tools, techniques and tactics used by threat actors and cybercriminals.
For endpoint level detection, investigation and timely remediation of incidents, implementing endpoint detection and response can be proactive and invaluable in buying time for crisis response.
In addition to adopting essential endpoint protection, implement a corporate-grade security solution that detects advanced threats at the network level at an early stage.