The biggest data breaches in the ASEAN region

Last week's massive data breach in Singapore affecting 1.5 million people evidenced the region's weaknesses in the areas of cybersecurity and data protection

Hacker stealing data
Thinkstock

With its dynamic position as one of the fastest growing digital economies in the world, the ASEAN region has also become a prime target for cyberattacks.

Last week Singapore was subject to the largest data breach in its history with 1.5 million affected by an attack which saw SingHealth’s patients personal information, including addresses and  National Registration Identity Card numbers, severely compromised.

According to AT Kearney’s insightful report “Cybersecurity in ASEAN: An Urgent Call to Action”, ASEAN countries are being used as launchpads for cyberattacks, either as vulnerable hotbeds of unsecured infrastructures where numerous computers can be infected easily for large-scale attacks, or as centres for a single point of attack to gain access to the hubs’ global connections.

The report also found out that Malaysia, Indonesia and Vietnam are global operational bases for major blocked suspicious web activities, up to 3.5 times the standard ratio, making them hubs for hackers to launch malware attacks.

The high risk of cyberattacks and data breaches won’t improve until cybersecurity governance and policies are considerably developed. According to the Asia Pacific Risk Centre, hackers are 80% more likely to attack organisations in Asia due to the weakness in regional cybersecurity infrastructures.

Although Malaysia, Singapore, Thailand and Vietnam have drafted cybersecurity bills in 2017, little progress has been achieved in the rest of ASEAN countries.

When it comes to data breach control, the prospects are even gloomier. Whereas Philippines or Indonesia require that data controllers notify promptly affected users in the case of a data breach, Thailand, Brunei or Malaysia don’t have specific notification requirements in this particular scenario.

This makes more difficult to know the real extent of actual data breaches in those countries as most of them would go unreported.

In March 2017, ASEAN adopted the ASEAN Cybersecurity Cooperation Strategy and in April 2018, on the occasion of the 32nd ASEAN Summit, it issued a statement on cybersecurity cooperation. However, since the lack of sector-specific governance and policies is a problem around the whole region, ASEAN could benefit of a coordinated approach similar to the one implemented in the European Union (EU).

In 2013 the EU developed a Cybersecurity Package, a region-wide cybersecurity strategy to “enhance the EU’s overall performance” and to “safeguard an online environment providing the highest possible freedom and security for the benefit of everyone.” The package was reviewed last year and marks a milestone in the fight against cybercrime in the union.

Below we have compiled a list of the most serious data breach incidents in the ASEAN region during the past few years.

Philippines, 2016: “The biggest government data breach in history”

On 27 March 2016, 55 million voters in the Philippines were subject to what’s been deemed the “biggest government data breach in history” after the entire database of the Commission on Elections (Comelec) was hacked and leaked.

Behind the attack was a group self-named Anonymous Philippines. Following the breach a second hacker group, LulzSec Pilipinas, posted the database online and since then it has been widely shared by others.

Anonymous Philippines is a hacktivist community likely to be connected or inspired by the global Anonymous hacker network, which has rallied supporters in over 20 countries globally against government corruption and internet censorship.

Among the data stolen from Comelec, which was distributed on both the dark and clear web, were 228,605 email addresses and 1.3 million passport numbers of overseas Filipino voters and 15.8 million fingerprint records.

Other information contained within the breach included postal addresses, place of birth, height, weight, gender, marital status and parents' names. Although dates of birth and names were encrypted, the rest of the data wasn’t.

In an interview with WIRED, security expert Troy Hunt said that the leaked database was a “real hodgepodge” of data structures, with file names suggesting careless copy-and-pasting of old versions, poor maintenance and lenient management.  

In 2013, #pR.ison3R, claiming to be part of Anonymous Philippines, posted on Facebook three mobile phone numbers belonging to Benigno Aquino III,  the country’s then president.

Thailand, 2016: Expats data compromised

Late on a March Sunday afternoon, social media users noticed that a database containing the names, addresses, job titles and passport numbers of more than 2,000 foreign nationals living in Thailand’s southern province was widely available online.

The website where the information was published carried the Thailand immigration police seal but used a private Thai web address, which is not usually associated with government sites. The data was openly accessible without a password and some users even guessed the administration password, which unsurprisingly was 12345.

The site also featured a digital map pinpointing the expats’ location and their personal details, making it a cause for worry to hundreds of foreigners living in the southern region of the Asian country.

When authorities ordered to take down the website on the following Monday, it was already too late. The site’s existence had gone viral and it had become another stain in the government’s cyber security record, which in 2016 had seen the websites of the police, courts and correction departments hacked.  

Thai Netizens, a digital advocacy group, tracked down the website's owner, a developer called Akram Aleeming, who later posted a statement on Facebook saying the site had mistakenly been made public during testing stages. According to his statement, the immigration police had commissioned the website.

Malaysia, 2017: Fiasco at the Malaysian Communications and Multimedia Commissions

In what’s Malaysia’s darkest data breach episode to date, more than 46 million mobile subscribers’ data was stolen and leaked on to the dark web.

Considering that the state has a population of 32 million, it is believed that the whole country was affected, including foreigners using pre-paid mobile phones.

The leaked information includes mobile numbers, unique phone serial numbers and home addresses.

Personal information from multiple Malaysian public sector and commercial websites was also stolen, making Malaysians vulnerable to social engineering attacks and even phone cloning.

Although the Malaysian technology news website Lowyat.net claimed that it reported the breach to the Malaysian Communications and Multimedia Commission (MCMC) after receiving a tip-off, the watchdog asked Lowyat.net to take the news article down.

The tech website was informed that someone was trying to sell huge databases of personal details from at least 12 Malaysian mobile operators for an undisclosed amount of Bitcoin on its forums.

A vast amount of personal data was also stolen from Jobstreet.com and six different official Malaysian organisations, including the Malaysian Housing Loan Applications and the Academy of Medicine Malaysia.

Lowyat.net founder Vijandren Ramadass told The Star that all information it had received on the matter was handed over to the MCMC.

The MCMC only accepted the data breach a day later in a press statement released on Facebook, later confirming that 46.2 million mobile subscribers were affected by the data breach.

Singapore, 2017: Reputation debacle for AXA Insurance and Uber

Before this month’s catastrophic health data breach, Singapore had already an open record of serious breach incidents in its territory.

In September 2017, 5,400 AXA Insurance Singapore customers were affected by a data breach in the company’s online health portal.

Information stolen included email addresses, mobile numbers and date of birth. However, AXA was quick to reassure that no other personal data, including name, postal addresses, financial details, medical records or claims history, had been exposed.

In an email to its customers, AXA’s data protection officer Eric Lelyon said: “We wish to inform you that because of a recent cyberattack, personal data belonging to about 5,400 of our customers, past and present, on our Health Portal was compromised."

To reassure its clients he continued by saying that "no further action is required from you as the information that was compromised is not likely to, on its own, expose you to identity theft."

Ironically, in 2014 the insurance corporation had introduced an online risk insurance service in the city-state to protect customers and businesses against cyberattacks.

And in December, just a couple of months after AXA’s episode, Uber disclosed that personal data belonging to 380,000 of its customers in Singapore had been subject to a leak the previous year.

The popular but controversial riding company only released the news after disclosing that the details of 57 million worldwide Uber riders and drivers had been exposed. Not only that, Uber paid $100,000 to the hacker responsible to destroy the data in an effort to cover up the leak.

This move, which was approved by Uber’s former CEO Travis Kalanick, didn't work too well for the organisation and the company’s CSO, Joe Sullivan, was sacked shortly after the incident made headlines. However, to this day Uber has avoided paying any significant fines in regards to this episode.

If Uber’s breach had happened after the introduction of the EU’s GDPR, the company could have been fined 4% of its global annual revenue ($23.5 million).

"Uber has played a risky game here, not only concealing the hack but exacerbating the problem by paying off the hackers”, said Dean Armstrong, cyberlaw barrister at Setfords Solicitors. “This will simply encourage them further and result in more attempts to steal personal data from organisations."

Thailand, 2018: True Corp's data gaffe

In March 2018 security researcher Niall Merrigan revealed that the identity documents of around 45,000 customers of True Corp, Thailand’s second-biggest mobile network and the flagship company of billionaire Dhanin Chearavanont's Charoen Pokphand Group, had been exposed.

Merrigan discovered the personal details belonging to customers of True Corp's e-commerce subsidiary iTrueMart (now WeMall) stored in a public-facing Amazon S3 bucket in March.

The 32GB data cache included 45,736 files, consisting mainly of JPG and PDF scans of identity documents including scanned ID cards, driving licences and possibly passports.

Merrigan said that True Corp was wrongly assuming that the incident was a hack, but there was no security on the data bucket and anybody could have found and downloaded the files.

According to the Bangkok Post, Telecoms regulator NBTC is investigating the incident and may force True Corp to compensate its customers for exposing their details. The stored identity records may have been collected as part of the Thai government's mandatory SIM registration scheme, which has already been a target of identity thieves and has been opposed by privacy advocates.

But a cloud expert noted that because the default setting for the AWS S3 service is private, True had to have intentionally set the data to public.

Philippines, May 2018: Wendy’s and Jollibee asked to take preventive measures against data breaches

Last May the National Privacy Commission of Philippines (NPC) gave popular fast-food chain Jollibee Foods Corporation (JFC) 10 days to come up with a plan to rehabilitate the vulnerabilities in its website, which could expose the data of millions of customers in the case of a breach.

In addition to this, the NPC also ordered Jollibee to “employ privacy by design” in re-engineering JFC Group’s data infrastructure. The food chain will also need to conduct a new privacy assessment, while filing a monthly progress report, until the issues in the system are addressed.

The NPC emitted these cautionary warnings after Wendy’s, another US fast-food chain with operations in the Philippines, was subject to a data breach earlier in the year.

Over 80,000 records, including users’ personal data, were exposed following an infiltration by hackers of Wendy’s Philippines website.

The NPC reported on May 4 that around 82,150 records of customers and job applicants including names, addresses, passwords, payment method and transaction details were compromised in the leak.

In relation to the case, the NPC issued an order addressed to Wendy's in Philippines to inform users affected by the data breach. The document, which the NPC released on May 2, gave a 72-hour extension for the fast-food chain company to comply.

“On an analysis of the information exfiltrated, it can be ascertained that the exposure of certain sensitive personal or financial information within the database puts the affected data subjects in harm’s way,” the NPC’s order states.