CYBER THREAT ARTICLE - Mitigating Data Breaches and Protecting Personal Data

CTI Perspective – Mitigating Data Breaches and Protecting Personal Data

Data breaches are increasingly more common and, in some cases, evolved into a viable income revenue for perpetrators during the Covid 19 pandemic. Given the proliferation of high-profile breaches in Singapore, organisations should review their cybersecurity posture thoroughly and identify how cyber threat intelligence (CTI) could enhance their security of personal and business data.

The Association of Information Security Professionals (AiSP) organised a knowledge-sharing event on 1 December 2021 for its Cyber Threat Intelligence Special Interest Group (CTI SIG), to discuss the trends in data breaches in Singapore and how we can safeguard sensitive data as part of organisations’ compliance to the Personal Data Protection Act (PDPA). Some highlights of the event’s panel discussion are covered here.

Perpetrators’ motivation for causing data breaches

Personal data or personal identifiable information (PII) is valuable, not just to the data subjects who own their personal data, but to others who want to commit identify fraud. In reality, identify fraud is not as insidious as in movies; it is fairly common when one wants to exploit what others have through impersonation, such as social network, credentials and credit standing. Our speaker and panellist Dr Guy Almog from Cyberint, also shared about ways individuals can mitigate their exposure of personal data.

There are also a wide range of phishing attempts and data breach related activities monitored in the dark web involving corporate and personal data, as presented by one of our speakers Ray Koh from Cyberint,


Phishing / Brand abuse Dark Web monitoring
Executive impersonation in social media Employee credentials
Brand impersonation in social media Private access token
Brand abuse websites detection Customer credentials exposed
Mobile applications impersonation Customer payment cards exposed
Domain squatting Credentials stuffing tool targeting company
Phishing websites detection Brute force tool targeting company
Phishing beacon Data scraping tool for company application
Advance phishing detection Vulnerability scanner targeting company
Advanced attacks detection
Source code disclosed
Leaked documents
Advanced sensitive information disclosure
Refund fraud services and tutorials
Carding services and tutorials
Advanced fraudulent activities

During Covid pandemic, many people are working remotely and are not able to have in-person identification for verification. This has attracted more perpetrators to steal personal data from less tech-savvy individuals, through data breaches.

Gaps in Protecting Personal Data in Organisations

In the context of the November 2021 data breaches involving individuals’ personal data that warrants a higher level of protection, the panel moderator Mr Andrew Ong facilitated a discussion involving three panellists, on the state of PDPA compliance pertaining to NUS Society breach and RedDoorz’s 5.9 million affected customers. Given the trend of heavier fines imposed by the Personal Data Protection Commission (PDPC) (see source), I shared on the impact and implications to such a breach from the capacity from AiSP Data & Privacy Special Interest Group.

Besides the PDPA fine arising from the data breaches, the reputation and credibility of being a trusted and properly managed organisation have been affected. Notably for the start-up RedDoorz (company: Commeasure Pte Ltd) which has a number of investors, its business model is highly dependent on processing customers' bookings and personal data via digital platform. It was reported that the company has been losing money during the Covid pandemic, and this event may worsen its financial situation further.

For NUS Society (NUSS), the data was taken from its website, which was hosted by a third-party Web hosting provider - the database was hacked. It is evident that NUSS may not have assessed why it has to retain full NRIC numbers of its graduates (from local and foreign universities). Since it has generated membership number, it should minimise its data collected, given that it is a lucrative market in selling and re-selling personal data for nefarious means (see source). PDPC has reiterated the proper use of NRIC numbers since August 2018.

Our panellist Mr YC Lian, who is also a member of the CTI SIG, shared his views at the event and post-event, on guidelines for organisations to handle personal data. Data security is often an afterthought to developers, there is a need to left-shift for threat modelling. In addition, agile and lean startups have changed the way software is built. The need for speed and MVP has robbed many developers from giving deep thoughts on adapting incrementally.

The ease of implementing controls is not a substitute for understanding JTBD1. CIA2 is better as CIAPS3 where P refers to privacy, and S would be safety. Under privacy, there are rights to withdraw consent, update and destroy. Safety would be the freedom from risks. Migrating to clouds creates a model of shared responsibility between the organisations and the cloud service providers. Organisations do not outsource the management of customer data without proper consideration on its fit-for-performance, performance, and continuity, etc.

When asked about the current observation or misconception of handling such sensitive data, YC elaborated that one does not need fancy tools and technical jargons (SIEM, SOAR, CWPP, CSPM, etc) to build good culture, hygiene and processes. Organisations’ understanding of their competence and constraints would help them to make better decisions, such as choosing between an IaaS and PaaS or DBaaS.

Besides explaining how CTI service can assist organisations from addressing a potential data breach, Dr. Guy also elaborated on the accuracy and usefulness of the information extracted from CTI, from his experience. More details are available in AiSP’s member-only playback of the webinar recording4.

On best practices or current guidance for organisations handling personal data, I feel it is important to consider organisation’s risk appetite, level of staff awareness, effectiveness of training, and how to use CTI strategically. Organisations are often challenged by limited resources and bandwidth, and it would be helpful to prioritise mitigation controls by referencing CTI and data breach trends. Not all risks are equal in terms of impact for two organisations in the same industry; it depends on your risk appetite and culture. In the course of my data protection work, I often have to dig deep into people’s behaviours as it can make or break operational compliance.


Mitigating Data Breaches in Organisations

Data breaches have become the norm; thus, it would be productive to reduce the impact of breach e.g., segregation of types of personal data - e.g., sensitive data. A useful way is to have 2FA or multiple factor authentication depending on the criticality of the access. Take a holistic approach and map out the infosec measures available to your organisation in terms of resources and budget, sustainability, corporate culture and people behaviour, as part of your 2022 planning.

There are various best practices for organisations' operational compliance (as we are dealing with people behaviour, organisational culture and resources available for information security measures). For these two incidents, NUSS needs to reconcile its business purpose for the types of personal data collected and if it is proportionate to its business needs. Is it over-collecting from members and does it have the resources to ensure adequate protection?

Another important point is vendor management, if NUSS has assessed the risks involved for vendor to process the personal data. For organisations intend to process a significant amount of personal data or sensitive data, they should conduct a data protection impact assessment (DPIA) to review its security measures and vendor management. This applies to the case of RedDoorz where it cited high staff turnover as the reason for security oversight. The DPIA helps the management team to identify potential blind spots. If your security measures are highly dependent on human intervention, you should consider if these measures or tasks can be automated and potential impact of identity theft (email address, password). Can an unauthorised user make transaction once he can access the account?

The PDPC has listed out a detailed investigation report for its decision to impose the fine of $74,000 on RedDoorz. Besides maintaining currency of its security measures and having regular and comprehensive audit, companies should be aware of the competencies of their information security team including their vendors, as data breaches and technological advancements are evolving. This aspect is covered under cyber threat intelligence, where companies can ensure their cybersecurity posture remains relevant to breaches and attacks. Also, data protection impact assessment can cover high-level risk identified by threat intelligence on sale of personal data as a business model by hackers during covid pandemic



1 Jobs to be done
2 Confidentiality, Integrity and Availability
3 Izar Tarandach's Core Principles as stated in his book
4 AiSP members are welcome to playback the recorded webinar and the full panel discussion, by contacting the Secretariat

About the Author



Yvonne Wong

Yvonne is currently a Co-opted Committee Member, EXCO, in AiSP. She is volunteering in the Cyber Threat Intelligence Special Interest Group (SIG), and Data and Privacy SIG. Yvonne has been a practitioner, consultant and trainer for Governance, Risk and Compliance (GRC) since 2015. Prior to GRC, she has been involved in branding, communications, intellectual property management and strategic planning work in private and public sectors. She is presently the Senior Manager in the Yishun Health Data Protection Office.