Combating cyber crimes
Two high profile data thefts have put the spotlight on digital security in Malaysia
REPORTS on what is believed to be Malaysia’s biggest ever data breach first surfaced on online news portal Lowyat.net on Oct 19.
The leak was reported after the portal received a tip-off that someone was attempting to sell huge databases of personal details belonging to Malaysians for an undisclosed amount of Bitcoin, a form of digital currency.
The leak reportedly involved 46.2 million mobile phone subscribers in the country.
According to the breached documents seen by The Star, the leaked data includes personal information of subscribers of telcos and Internet service providers, namely Altel, Celcom, Digi, Enabling Asia, Friendi Mobile, Maxis, Merchant Trade Asia, PLDT, REDtone, Tune Talk, U Mobile and XOX.
The information leaked included mobile phone numbers, home addresses, MyKad information as well as mobile SIM card information, among other personal data.
Other databases that were breached belong to JobStreet, Academy of Medicine Malaysia, Malaysian Medical Council, Malaysian Dental Association, Malaysian Medical Association, National Specialist Register of Malaysia and FxUnited.
The actual data breach is believed to have happened in 2014.
The Malaysian Communications and Multimedia Commission and the Commercial Crimes Investigation Department are investigating the case, with the police saying recently that they have strong leads on how the data was compromised and who was involved.
Inspector-General of Police Tan Sri Mohamad Fuzi Harun said investigators have pieced together how the data was breached, and that the evidence pointed towards an “inside job”.
“There is a possibility that this (the breach) occurred after several staff from a company tasked with transferring the data took advantage of the situation,” he was quoted as saying.
In a separate development, the CIMB Banking Group reported earlier this week that several of its magnetic tapes containing back-up data were physically lost in transit during routine operations.
It said some of these tapes contained customer information of CIMB Bank and its subsidiaries.
The bank said there was currently no evidence that any of this information has been compromised, and that the tape data does not contain any authentication data such as PINs, passwords or credit card CVV numbers.
While it is crucial for companies to invest in the latest software to protect their systems from being hacked by cybercriminals, these recent developments have also highlighted the importance of ensuring the sensitive data is not misused by employees of these companies themselves.
Restricting employee access to such sensitive customer data setting up a system to monitor any form of transfer of data is seemingly equally as important as using the latest and most up-to-date software to avoid hackers from breaking into the company’s database.
Consolidated approach needed
According to information management firm Commvault, organisations, in data-rich industries, in particular, should have a holistic, end-to-end solution that saves valuable data assets and speeds up the recovery process – before permanent damage manifests in the long term.
“The recent data breach reminds us that there are always going to be malicious attempts to evade prevention and detection systems.
“Therefore, organisations need to understand and know how their data is used within their business, including where it is stored, who has access to it, and if a system is compromised, exactly what data is affected,” Commvault’s country manager Malaysia, Freddie Soon tells StarBizWeek.
Data, he says, is “the heartbeat” of any information-driven business, and as a result, a data breach could happen to any company at any time.
He notes that the impact of the breach varies, depending on the type, timeliness, quality and size of the data being compromised.
The impact can range from minor processing delays and small shifts in operational processes, or at the other extreme, malicious activities such as identity theft.
“All companies should take a consolidated approach at ensuring the safety of data, by having a robust cybersecurity infrastructure as well as a defined and holistic data management strategy.
“In today’s complex threat landscape and digital age, businesses are realising that data is their most strategic asset,” he says.
“Governments are also increasingly playing a role in safeguarding personal data with the development of new legislations that regulate how companies manage sensitive data. The fact that there are several pieces of legislation worldwide focused on ensuring the protection of data, such as the EU’s GDPR, highlights that this is a borderless issue that spans countries.
Soon adds that businesses have a responsibility to protect data entrusted to them no matter where it is, and they can only begin doing this if they understand exactly where it is, and how it is used.
On the issue of cost, Soon says that while preventative security measures should be part of any comprehensive defence mechanism, companies can never be too safe.
Business leaders, he says, need to first invest in better knowing and understanding the data that resides within their businesses.
“Organisations can reduce costs by implementing a good data management and protection strategy that further strengthens their overall cybersecurity infrastructure.
“This starts with a data management platform that integrates easily with other applications, clouds and on-premise solutions.
“Business leaders should turn to solutions that offload the burden around managing encryption away from the end user, while ensuring that data can be accessed with the same speed and convenience that it would under normal circumstances,” he says.
On the other side of the coin, there is also the worry about employees of the companies entrusted with storing personal information, leaking such data to make a quick profit.
Soon stresses that organisations need to have a comprehensive cybersecurity strategy which encompasses one of their most valuable assets – their employees.
Employers, he says, must take the time to educate employees on cyber hygiene practices around firewalls, antivirus, anti-phishing, edge protection and data protection.
Equally crucial is that employees are educated about the need to practice caution and to delete emails and messages with strange attachments and bad links.
“Even with extensive knowledge of cyber hygiene, there is the potential for human error. This is where endpoint data protection is key in safeguarding an organisation’s weakest links with an extra shield,” he says.
Endpoint data protection, he says, enables organisations to minimise data leakages with built-in security settings that allow users to encrypt files and folders, track geo-location and securely wipe data from lost or stolen laptops.
This can be especially helpful during a data breach, Soon adds.
“A company that understands its data, understands its uses– who has access to it, when it is accessed, what it contains, its sensitivity. This is the basis of any data protection policy for organisations of any size,” he says.
In July, Malaysia was ranked third among 193 countries in terms of its commitment to cybersecurity, in the Global Cybersecurity Index (GCI) 2017.
Malaysia had achieved a score of 0.89, behind Singapore and the United States.
Malaysia’s creation of the Information Security Certification Body, a department in Cybersecurity Malaysia was cited in the report as one of the reasons behind its excellent ranking and its commitment in ensuring a safe cyberspace.
The study assesses a country based on five pillars, namely legal, technical, organisational, capacity building, and cooperation.
It is the second consecutive year that Malaysia has maintained the ranking.
Countries in the top 10 included Oman, Estonia, Mauritius, Australia, Georgia, France and Canada.
While this is indeed a positive sign, how truly prepared are Malaysian companies in the event of a cyber attack?
Another survey conducted during the same month presented a contrasting view.
A study conducted by managed security services provider Quann and research firm IDC found that 96% of Malaysian companies are only in the early stages of security preparedness.
It said the majority of Malaysian companies are unprepared for cyber attacks and had demonstrated significant gaps in security development, cyber awareness and resources.
The Quann IT Security End User Study 2017 revealed that 46% of the companies involved in the survey only had basic IT security features such as firewalls and antivirus software, and were not equipped with security intelligence and event management systems to raise alerts for any anomalies or suspicious activity.
In August, IDC Malaysia’s senior market analyst, Business and IT Services Research, Sherrel Roche stressed that Malaysia needed to develop and strengthen its regulatory environment and data breach notification laws. “The Government has an important role to play in ensuring effective cybersecurity, and regulators have to be more active and collaborative to shore up cybersecurity defenses.
“This in turn will enhance the security environment and open the market to new opportunities, new growth industries, global partnerships, and boost the presence of local security service providers internationally,” she says.
Prior to reports of the latest data breach, the most recent major cybersecurity scare in Malaysia was an attack on several local online brokerages in July.
The services provided at these online brokerages were disrupted after an attack by hackers demanding money via a distributed denial of service (DDos) attack.
This came just weeks after malware WannaCry and NotPetya – used to encrypt the files of infected computers and hold the owners to ransom – crippled hundreds of businesses worldwide.
The attack, which infected hundreds of thousands of computers around the world, had also hit some Malaysian companies.
According to CyberSecurity Malaysia, 6,274 cases related to cyber attacks have been recorded as of September this year.