The biggest data breaches in the ASEAN region

Recent massive data breaches in Southeast Asia evidence the region's weaknesses in the areas of cybersecurity and data protection

1 2 Page 2
Page 2 of 2

"Uber has played a risky game here, not only concealing the hack but exacerbating the problem by paying off the hackers”, said Dean Armstrong, cyberlaw barrister at Setfords Solicitors. “This will simply encourage them further and result in more attempts to steal personal data from organisations."

Vietnam, July 2016: trouble in the airports

Airlines around the globe are becoming favourite targets for hackers, as recent attacks on British Airways, Air Canada and Cathay Pacific systems show us.

On July 2016, 410,000 clients of Vietnam Airlines saw personal information compromised after the national flag carrier’s website was subject to a cyberattack by self-proclaimed Chinese hackers.

The data stolen, which was then leaked on the internet, belonged to VIP members of the airline’s Lotusmiles scheme. It included names, birthdays and addresses.

The politically motivated attack also affected flight information displays and speaker systems at Tan Son Nhat International Airport and Noi Bai International Airport, the country’s biggest airports.

Intercepted screens showed derogatory messages in Chinese against Vietnam and the Philippines in their territorial row against China in the South China Sea.  

Vietnam Airlines website page was replaced by the same picture which was showing on the airports’ displays.

Banks raised concerns in the aftermath of the data breach about the use of the leaked information to steal their clients’ money, as many Lotusmiles members had used bank cards to complete transactions with the airline.

Currently Vietnam Airlines website has a clause on its customer privacy notice where it states that in case of a data breach, the company will follow the European Union’s General Data Protection Regulation (GDPR) and contact affected clients with an immediate effect.

The airline now also has a designated data controller and data protection officer (DPO).

Thailand, March 2016: Expats data compromised

Late on a March Sunday afternoon, social media users noticed that a database containing the names, addresses, job titles and passport numbers of more than 2,000 foreign nationals living in Thailand’s southern province was widely available online.

The website where the information was published carried the Thailand immigration police seal but used a private Thai web address, which is not usually associated with government sites. The data was openly accessible without a password and some users even guessed the administration password, which unsurprisingly was 12345.

The site also featured a digital map pinpointing the expats’ location and their personal details, making it a cause for worry to hundreds of foreigners living in the southern region of the Asian country.

When authorities ordered to take down the website on the following Monday, it was already too late. The site’s existence had gone viral and it had become another stain in the government’s cyber security record, which in 2016 had seen the websites of the police, courts and correction departments hacked.  

Thai Netizens, a digital advocacy group, tracked down the website's owner, a developer called Akram Aleeming, who later posted a statement on Facebook saying the site had mistakenly been made public during testing stages. According to his statement, the immigration police had commissioned the website.

Philippines, March 2016: “The biggest government data breach in history”

On 27 March 2016, 55 million voters in the Philippines were subject to what’s been deemed the “biggest government data breach in history” after the entire database of the Commission on Elections (Comelec) was hacked and leaked.

Behind the attack was a group self-named Anonymous Philippines. Following the breach a second hacker group, LulzSec Pilipinas, posted the database online and since then it has been widely shared by others.

Anonymous Philippines is a hacktivist community likely to be connected or inspired by the global Anonymous hacker network, which has rallied supporters in over 20 countries globally against government corruption and internet censorship.

Among the data stolen from Comelec, which was distributed on both the dark and clear web, were 228,605 email addresses and 1.3 million passport numbers of overseas Filipino voters and 15.8 million fingerprint records.

Other information contained within the breach included postal addresses, place of birth, height, weight, gender, marital status and parents' names. Although dates of birth and names were encrypted, the rest of the data wasn’t.

In an interview with WIRED, security expert Troy Hunt said that the leaked database was a “real hodgepodge” of data structures, with file names suggesting careless copy-and-pasting of old versions, poor maintenance and lenient management.  

In 2013, #pR.ison3R, claiming to be part of Anonymous Philippines, posted on Facebook three mobile phone numbers belonging to Benigno Aquino III,  the country’s then president.

1 2 Page 2
Page 2 of 2