SINGAPORE, Feb 11 — Two recent incidents of massive personal data breaches in Malaysia have shone the spotlight on data security in the country, which experts say likely stem from the use of poor cyber security tools that do not offer sufficient protection against increasingly sophisticated threats.
They warn that with cyber breaches happening worldwide on a daily basis and online threats becoming harder to detect, any organisation or individual can be vulnerable.
“Our corporate and ICS (industrial control system) environments are exploding in digital complexity — the cloud, virtualised environments and non-traditional IT introduce a whole host of unforeseen vulnerabilities,” said Mr Sanjay Aurora, the managing director (Asia Pacific) for Darktrace, an artificial intelligence cyber security company.
“What has become clear however, is that traditional security tools that are rigidly programmed to spot known examples of compromises offer insufficient protection.”
Citing an example, Sanjay said traditional security tools look at past attacks in an attempt to close off avenues of attack and prevent threats from crossing the network border.
This “retrospective approach” however, misses out malicious and accidental insider threats, hacked IoT (Internet of Things) devices, as well as sophisticated threats that have never been seen before.
This could be why in recent years, news of data breaches in companies like web services provider Yahoo, ride-hailing firm Uber and consumer credit reporting agency Equifax have hogged the limelight.
Last December, about 380,000 Singapore users of Uber were affected as a result of a 2016 massive data breach, although the company said the breach did not compromise any of their credit card or bank account numbers.
In Malaysia, the personal data of 46.2 million of Malaysians were stolen and sold online, in what is possibly the country’s biggest personal data breach.
Popular Internet forum and technology magazine website Lowyat.net reported on the data breach on Oct 19, noting that the data from a 2014 breach was likely to have been available for sale for a long time.
This was followed by another report by the website last month on how the personal details of around 220,000 Malaysian organ donors and their next-of-kin had been leaked online since September 2016.
Malaysia’s internet regulator, the Malaysian Communications and Multimedia Commission (MCMC) and the police are currently probing the source of the leaks but to date, no one has been apprehended.
MCMC did not respond to queries from TODAY.
In Malaysia, any person found guilty of selling personal data can be fined up to RM500,000 or jailed for a maximum of three years or both under the Personal Data Protection Act.
The legislation was enacted in 2010 to protect personal data of Malaysians from being misused.
MCMC also has a general consumer Code of Practice for the communications and multimedia industry, where it spells out measures service providers should take to provide adequate security for personal data.
One weakness in Malaysia’s legal framework though, is the lack of laws that outline what organisations should do in the event of a data breach, said Vijandren Ramadass, the founder of Lowyat.net.
The European Union for instance is drafting a general data protection regulation while the United States already has laws that require companies to notify those affected by their data breaches.
Still, cyber-security experts say tougher laws on data protection are not going to put a complete stop to breaches.
“Data protection laws can only provide the necessary frameworks and requirements for compliance. The implementation of cyber-security measures, on the other hand, is far more challenging,” said Foo Siang-tse, the managing director for Quann Asia Pacific, a cyber-security services provider.
“Cyber defenders must be vigilant all the time while hackers only need to be successful once. This is a challenge for many countries, and not just Malaysia.”
Many factors contribute to data breaches.
It could be from a compromised laptop or server, or someone extracting information due to lack of data protection procedures in an organisation.
This could involve a USB download, email data export or sophisticated malware designed for data theft and exfiltration.
Simply put, “each breach has its own unique reasons on how it happened,” said technology strategist Dinesh Nair, who worked with Microsoft to drive the adoption of current and emerging technologies.
Moreover, online file storage and email services like Dropbox and Yahoo have been compromised recently.
“If the data was stored in any of these online services, then it could have easily been breached by accessing these accounts with stolen credentials,” said Ramadass.
So what can be done to minimise data breaches?
For companies, Sanjay said AI technology that learns on the job and spots abnormalities before they become harmful offers the best chance to catch and autonomously respond to previously unknown attacks and subtle insider threats.
Quann’s Foo said organisations should also consider working with an experienced cyber security partner that provides end-to-end services which includes security product assessment, regular penetration testing, real time detection and timely incident response.
“Employees must be educated on current cyber security threats and how they should protect themselves and their organisations. These include keeping passwords secure and not clicking on suspicious links or files,” he said. — TODAY