The biggest data breaches in the ASEAN region

Recent massive data breaches in Southeast Asia evidence the region's weaknesses in the areas of cybersecurity and data protection

Hacker stealing data
Thinkstock

New year, new data breaches.

The World Economic Forum 2019 global risk report has named cyber attacks and data breaches as the fourth and fifth most serious risks facing the world today. It's the second year in a row in which these threats have been present in the top five list of risks.

With its dynamic position as one of the fastest growing digital economies in the world, the ASEAN region has become a prime target for cyberattacks.

According to AT Kearney’s insightful report “Cybersecurity in ASEAN: An Urgent Call to Action”, ASEAN countries are being used as launchpads for cyberattacks, either as vulnerable hotbeds of unsecured infrastructures where numerous computers can be infected easily for large-scale attacks, or as centres for a single point of attack to gain access to the hubs’ global connections.

The report also found out that Malaysia, Indonesia and Vietnam are global operational bases for major blocked suspicious web activities, up to 3.5 times the standard ratio, making them hubs for hackers to launch malware attacks.

Not everything is bad news though: In September 2018, the 10 members of the ASEAN bloc agreed to 11 voluntary, non-binding norms of responsible behaviour to strengthen cybersecurity, which were proposed by the United Nations in 2015.

The norms include proposals for individual states to not knowingly allow their territory to be used neither to commit “wrongful acts using information and communications technology” nor to damage critical technological infrastructure.

Below we have compiled a list of the most serious data breach incidents in the ASEAN region during the past few years.

Philippines, January 2019: Cebuana's marketing server breached

More than 900,000 clients of Philippine-based pawnshop Cebuana Lhuillier were affected by a data breach on 19 January. According to the financial institution, the figure represents only 3% of its total clientele.

Cebuana Lhuillier, popularly known as Cebuana, is the leading and largest non-banking financial services firm in the country which provides microloans, pawn-broking, money remittance, bills payments and business-to-business solutions.

On the official statement released by Cebuana it was revealed that customers’ compromised information included date of birth, addresses and source of income. It also said that transaction details were not compromised and that the company’s main servers remained “safe and protected”.

The breach involved an email server used for marketing and although attempts to use one of its servers were detected on January 15, unauthorised downloads go back to August 2018.

Cebuana said on the statement that it had reported the breach to the National Privacy Commission (NPC) and Raymond Liboro, privacy commissioner, said it is investigating the incident.

This has been a bad start of the year for the Philippines, as on top of the Cebuana case, concerns over the security of Filipinos' passport data were raised after Foreign Secretary Teodoro Locsin claimed that an outsourced company "took all the data" when its contract terminated.

However, the Department of Foreign Affairs has denied a data breach and said that it has "full control" of passport data belonging to Philippines' citizens.

Singapore, January 2019: second health data breach in six months

This week it was revealed that confidential information belonging to 14,200 people diagnosed with HIV was stolen and leaked online in Singapore.

According to a statement published by the country’s Ministry of Health (MOH), the compromised personal data included names, contact details (phone number and address), HIV test results and other medical information of some 5,400 Singaporeans and 8,800 foreigners dating up to January 2013.

The name, identification number, phone number and address of 2,400 individuals identified through contact tracing up to May 2007 were also included.

Authorities believe that the person behind the breach is Mikhy Farrera-Brochez, a 33-year-old US citizen who lived in Singapore between 2008 and 2016. He was convicted and jailed for fraud and drug-related offences in 2016 and was deported last year upon completion of his jail sentence.

Farrera-Brochez used to be the partner of Ler Teck Siang, the former head of Singapore's National Public Health Unit, who was convicted for helping him falsify his medical records to disguise the American’s HIV-positive status.

Until 2015, foreigners with HIV were not allowed to visit the island state, even as tourists. Today, any visitor who wants to stay in the country for more than 90 days, including for work, is subject to mandatory medical screening to guarantee that they are not HIV positive.

Ler offered his own blood labelled as Farrera-Brochez's to allow him entry to the country.

Singaporean officials said that they were first made aware that Farrera-Brochez may have had access to the confidential information in 2016 but believed that all material had been seized and secured by the police.

According to the MOH statement, “while access to the confidential information has been disabled, it is still in the possession of the unauthorised person, and could still be publicly disclosed in the future.”

Singapore, July 2018: the city-state suffers its largest data breach

Last summer Singapore was subject to the largest data breach in its history with 1.5 million patients to SingHealth’s specialist outpatient clinics affected by it, including Prime Minister Lee Hsien Loong and several ministers.

Personal information stolen included names, National Registration Identity Card numbers, addresses, gender and dates of birth. 160,000 patients had details related to outpatient dispensed medicines as well.

A committee of inquiry (COI) was set in October to investigate into the events and contributing factors leading to the cyber attack.

During the COI, which finished on 30 November, it was established that intrusions into SingHealth's electronic medical records (EMR) system - a critical information infrastructure in Singapore - began undetected on June 27 but were discovered on July 4 and terminated by a database administrator at Integrated Health Information Systems (IHiS), the agency which runs the IT systems of all public healthcare institutions in Singapore.

It took six days since the attack began to be discovered and halted because IHiS staff initially thought that no data had been stolen.

The COI also concluded that IT gaps and staff missteps contributed to incident.

Five “top priority” recommendations were proposed by Solicitor-General Kwek Mean Luck for Singapore’s healthcare institutions to work on, including raising awareness of cybersecurity and tighter control of privileged administrator accounts.

Philippines, May 2018: Wendy’s and Jollibee asked to take preventive measures against data breaches

Last May the National Privacy Commission of Philippines (NPC) gave popular fast-food chain Jollibee Foods Corporation (JFC) 10 days to come up with a plan to rehabilitate the vulnerabilities in its website, which could expose the data of millions of customers in the case of a breach.

In addition to this, the NPC also ordered Jollibee to “employ privacy by design” in re-engineering JFC Group’s data infrastructure. The food chain will also need to conduct a new privacy assessment, while filing a monthly progress report, until the issues in the system are addressed.

The NPC emitted these cautionary warnings after Wendy’s, another US fast-food chain with operations in the Philippines, was subject to a data breach earlier in the year.

Over 80,000 records, including users’ personal data, were exposed following an infiltration by hackers of Wendy’s Philippines website.

The NPC reported on May 4 that around 82,150 records of customers and job applicants including names, addresses, passwords, payment method and transaction details were compromised in the leak.

In relation to the case, the NPC issued an order addressed to Wendy's in Philippines to inform users affected by the data breach. The document, which the NPC released on May 2, gave a 72-hour extension for the fast-food chain company to comply.

“On an analysis of the information exfiltrated, it can be ascertained that the exposure of certain sensitive personal or financial information within the database puts the affected data subjects in harm’s way,” the NPC’s order states.

Thailand, March 2018: True Corp's data gaffe

In March 2018 security researcher Niall Merrigan revealed that the identity documents of around 45,000 customers of True Corp, Thailand’s second-biggest mobile network and the flagship company of billionaire Dhanin Chearavanont's Charoen Pokphand Group, had been exposed.

Merrigan discovered the personal details belonging to customers of True Corp's e-commerce subsidiary iTrueMart (now WeMall) stored in a public-facing Amazon S3 bucket in March.

The 32GB data cache included 45,736 files, consisting mainly of JPG and PDF scans of identity documents including scanned ID cards, driving licences and possibly passports.

Merrigan said that True Corp was wrongly assuming that the incident was a hack, but there was no security on the data bucket and anybody could have found and downloaded the files.

According to the Bangkok Post, Telecoms regulator NBTC is investigating the incident and may force True Corp to compensate its customers for exposing their details. The stored identity records may have been collected as part of the Thai government's mandatory SIM registration scheme, which has already been a target of identity thieves and has been opposed by privacy advocates.

But a cloud expert noted that because the default setting for the AWS S3 service is private, True had to have intentionally set the data to public.

Malaysia, October 2017: Fiasco at the Malaysian Communications and Multimedia Commissions

In what’s Malaysia’s darkest data breach episode to date, more than 46 million mobile subscribers’ data was stolen and leaked on to the dark web.

Considering that the state has a population of 32 million, it is believed that the whole country was affected, including foreigners using pre-paid mobile phones.

The leaked information includes mobile numbers, unique phone serial numbers and home addresses.

Personal information from multiple Malaysian public sector and commercial websites was also stolen, making Malaysians vulnerable to social engineering attacks and even phone cloning.

Although the Malaysian technology news website Lowyat.net claimed that it reported the breach to the Malaysian Communications and Multimedia Commission (MCMC) after receiving a tip-off, the watchdog asked Lowyat.net to take the news article down.

The tech website was informed that someone was trying to sell huge databases of personal details from at least 12 Malaysian mobile operators for an undisclosed amount of Bitcoin on its forums.

A vast amount of personal data was also stolen from Jobstreet.com and six different official Malaysian organisations, including the Malaysian Housing Loan Applications and the Academy of Medicine Malaysia.

Lowyat.net founder Vijandren Ramadass told The Star that all information it had received on the matter was handed over to the MCMC.

The MCMC only accepted the data breach a day later in a press statement released on Facebook, later confirming that 46.2 million mobile subscribers were affected by the data breach.

Singapore, September 2017: Reputation debacle for AXA Insurance and Uber

Before this month’s catastrophic health data breach, Singapore had already an open record of serious breach incidents in its territory.

In September 2017, 5,400 AXA Insurance Singapore customers were affected by a data breach in the company’s online health portal.

Information stolen included email addresses, mobile numbers and date of birth. However, AXA was quick to reassure that no other personal data, including name, postal addresses, financial details, medical records or claims history, had been exposed.

In an email to its customers, AXA’s data protection officer Eric Lelyon said: “We wish to inform you that because of a recent cyberattack, personal data belonging to about 5,400 of our customers, past and present, on our Health Portal was compromised."

To reassure its clients he continued by saying that "no further action is required from you as the information that was compromised is not likely to, on its own, expose you to identity theft."

Ironically, in 2014 the insurance corporation had introduced an online risk insurance service in the city-state to protect customers and businesses against cyberattacks.

And in December, just a couple of months after AXA’s episode, Uber disclosed that personal data belonging to 380,000 of its customers in Singapore had been subject to a leak the previous year.

The popular but controversial riding company only released the news after disclosing that the details of 57 million worldwide Uber riders and drivers had been exposed. Not only that, Uber paid $100,000 to the hacker responsible to destroy the data in an effort to cover up the leak.

This move, which was approved by Uber’s former CEO Travis Kalanick, didn't work too well for the organisation and the company’s CSO, Joe Sullivan, was sacked shortly after the incident made headlines. However, to this day Uber has avoided paying any significant fines in regards to this episode.

If Uber’s breach had happened after the introduction of the EU’s GDPR, the company could have been fined 4% of its global annual revenue ($23.5 million).

1 2 Page 1
Page 1 of 2