CYBER THREAT ARTICLE - Mitigating Data Breaches and Protecting Personal Data
CTI Perspective – Mitigating Data Breaches and Protecting Personal Data
Data breaches are increasingly more common and, in some cases, evolved into a viable income
revenue for perpetrators during the Covid 19 pandemic. Given the proliferation of high-profile
breaches in Singapore, organisations should review their cybersecurity posture thoroughly and
identify how cyber threat intelligence (CTI) could enhance their security of personal and
business
data.
The Association of Information
Security
Professionals (AiSP) organised a knowledge-sharing event on 1 December
2021 for its
Cyber Threat Intelligence
Special Interest Group (CTI SIG), to discuss the trends in data breaches in
Singapore and
how we can
safeguard sensitive data as part of organisations’ compliance to the Personal Data Protection
Act
(PDPA). Some highlights of the event’s panel discussion are covered here.
Perpetrators’ motivation for causing data breaches
Personal data or personal identifiable information (PII) is valuable, not just to the data
subjects
who
own their personal data, but to others who want to commit identify fraud. In reality, identify
fraud
is
not as insidious as in movies; it is fairly common when one wants to exploit what others have
through impersonation, such as social network, credentials and credit standing. Our speaker and
panellist
Dr Guy Almog from Cyberint, also shared about ways individuals can mitigate their
exposure of personal data.
There are also a wide range of phishing attempts and data breach related activities monitored in
the
dark web involving corporate and personal data, as presented by one of our speakers Ray Koh from
Cyberint,
Phishing / Brand abuse | Dark Web monitoring |
Executive impersonation in social media | Employee credentials |
Brand impersonation in social media | Private access token |
Brand abuse websites detection | Customer credentials exposed |
Mobile applications impersonation | Customer payment cards exposed |
Domain squatting | Credentials stuffing tool targeting company |
Phishing websites detection | Brute force tool targeting company |
Phishing beacon | Data scraping tool for company application |
Advance phishing detection | Vulnerability scanner targeting company |
Advanced attacks detection | |
Source code disclosed | |
Leaked documents | |
Advanced sensitive information disclosure | |
Refund fraud services and tutorials | |
Carding services and tutorials | |
Advanced fraudulent activities |
During Covid pandemic, many people are working remotely and are not able to have in-person identification for verification. This has attracted more perpetrators to steal personal data from less tech-savvy individuals, through data breaches.
Gaps in Protecting Personal Data in Organisations
In the context of the November 2021 data breaches involving individuals’ personal data that
warrants a higher level of protection, the panel moderator Mr
Andrew Ong facilitated a discussion
involving three panellists, on the state of PDPA compliance pertaining to NUS Society breach and
RedDoorz’s 5.9 million affected customers. Given the trend of
heavier fines imposed by the Personal
Data Protection Commission (PDPC) (see source), I shared on the impact and implications to such a
breach from the capacity from AiSP
Data & Privacy Special Interest Group.
Besides the PDPA fine arising from the data breaches, the reputation and credibility of being a
trusted and properly managed organisation have been affected. Notably for the start-up RedDoorz
(company: Commeasure Pte Ltd) which has a number of investors, its
business model is highly
dependent on processing customers' bookings and personal data via digital platform. It was
reported
that the company has been losing money during the Covid pandemic, and this event may worsen its
financial situation further.
For NUS Society (NUSS), the data was taken from its website, which was hosted by a third-party
Web
hosting provider - the database was hacked. It is evident that NUSS may not have assessed why it
has to retain full NRIC numbers of its graduates (from local and foreign universities). Since it
has
generated membership number, it should minimise its data collected, given that it is a lucrative
market in selling and re-selling personal data for nefarious means (see source). PDPC has reiterated
the proper use of NRIC numbers since August 2018.
Our panellist Mr YC Lian, who is also a member of the CTI SIG, shared his
views at the event and
post-event, on guidelines for organisations to handle personal data. Data security is often an
afterthought to developers, there is a need to left-shift for threat modelling. In addition,
agile
and
lean startups have changed the way software is built. The need for speed and MVP has robbed many
developers from giving deep thoughts on adapting incrementally.
The ease of implementing controls is not a substitute for understanding JTBD1.
CIA2 is better as
CIAPS3 where P refers to privacy, and S would be safety. Under privacy, there are
rights
to withdraw
consent, update and destroy. Safety would be the freedom from risks. Migrating to clouds creates
a
model of shared responsibility between the organisations and the cloud service providers.
Organisations do not outsource the management of customer data without proper consideration on
its fit-for-performance, performance, and continuity, etc.
When asked about the current observation or misconception of handling such sensitive data, YC
elaborated that one does not need fancy tools and technical jargons (SIEM, SOAR, CWPP, CSPM,
etc)
to build good culture, hygiene and processes. Organisations’ understanding of their competence
and
constraints would help them to make better decisions, such as choosing between an IaaS and PaaS
or DBaaS.
Besides explaining how CTI service can assist organisations from addressing a potential data
breach,
Dr. Guy also elaborated on the accuracy and usefulness of the information extracted from CTI,
from
his experience. More details are available in AiSP’s member-only playback of the webinar
recording4.
On best practices or current guidance for organisations handling personal data, I feel it is
important
to consider organisation’s risk appetite, level of staff awareness, effectiveness of training,
and
how
to use CTI strategically. Organisations are often challenged by limited resources and bandwidth,
and
it would be helpful to prioritise mitigation controls by referencing CTI and data breach trends.
Not
all
risks are equal in terms of impact for two organisations in the same industry; it depends on
your
risk
appetite and culture. In the course of my data protection work, I often have to dig deep into
people’s behaviours as it can make or break operational compliance.
Mitigating Data Breaches in Organisations
Data breaches have become the norm; thus, it would be productive to reduce the impact of breach
e.g., segregation of types of personal data - e.g., sensitive data. A useful way is to have 2FA
or
multiple factor authentication depending on the criticality of the access. Take a holistic
approach
and map out the infosec measures available to your organisation in terms of resources and
budget,
sustainability, corporate culture and people behaviour, as part of your 2022 planning.
There are various best practices for organisations' operational compliance (as we are dealing
with
people behaviour, organisational culture and resources available for information security
measures).
For these two incidents, NUSS needs to reconcile its business purpose for the types of personal
data
collected and if it is proportionate to its business needs. Is it over-collecting from members
and
does
it have the resources to ensure adequate protection?
Another important point is vendor management, if NUSS has assessed the risks involved for vendor
to process the personal data. For organisations intend to process a significant amount of
personal
data or sensitive data, they should conduct a data protection impact assessment (DPIA) to review
its
security measures and vendor management. This applies to the case of RedDoorz where it cited
high
staff turnover as the reason for security oversight. The DPIA helps the management team to
identify
potential blind spots. If your security measures are highly dependent on human intervention, you
should consider if these measures or tasks can be automated and potential impact of identity
theft
(email address, password). Can an unauthorised user make transaction once he can access the
account?
The PDPC has listed out a detailed investigation report for its decision to impose the fine of
$74,000
on RedDoorz. Besides maintaining currency of its security measures and having regular and
comprehensive audit, companies should be aware of the competencies of their information security
team including their vendors, as data breaches and technological advancements are evolving. This
aspect is covered under cyber threat intelligence, where companies can ensure their
cybersecurity
posture remains relevant to breaches and attacks. Also, data protection impact assessment can
cover high-level risk identified by threat intelligence on sale of personal data as a business
model
by
hackers during covid pandemic
1 Jobs to be done
2 Confidentiality, Integrity and Availability
3 Izar Tarandach's Core Principles as stated in his book
4 AiSP members are welcome to playback the recorded webinar and the full panel discussion, by contacting the Secretariat
About the Author
Yvonne Wong
Yvonne is currently a Co-opted Committee Member, EXCO, in AiSP. She is volunteering in the Cyber Threat Intelligence Special Interest Group (SIG), and Data and Privacy SIG. Yvonne has been a practitioner, consultant and trainer for Governance, Risk and Compliance (GRC) since 2015. Prior to GRC, she has been involved in branding, communications, intellectual property management and strategic planning work in private and public sectors. She is presently the Senior Manager in the Yishun Health Data Protection Office.