APAC lax on data breach, theft

Summary:Region's lack of legislation allows data breaches to be swept under carpet while lenient judiciaries produce just slap on cybercriminals' wrists, argues security expert.

SINGAPORE--Lack of data privacy regulations, as well as lenient law enforcement in the Asia-Pacific region, have not helped the fight against cybercrime, according to a security expert.

Touching on the recent Epsilon incident, Paul Ducklin, Sophos' head of technology for the Asia-Pacific region, told ZDNet Asia the lack of legislation in this region had given affected companies opportunities to "sweep it under the carpet".

The e-mail marketing service provider, which sends some 40 billion e-mail messages annually, revealed in early April that its system was breached and about 2 percent of its customers' client names and e-mail had been leaked. Among the organizations affected were Citi, JPMorgan Chase, Marriot International and McKinsey & Company.

Of the affected companies, only U.S. companies have revealed that they were customers of Epsilon, and sent out e-mail messages to customers informing them of the data breach, Ducklin noted in an interview during a recent visit to Singapore.

He blamed this on the lack of mandatory disclosure laws in the region, adding that companies have no obligations to go public, as the information stolen are mainly e-mail addresses and not personal identifiable information.

The United States, for instance, has legislation requiring companies, which handle and "do things" with consumer data, to disclose any data breach and implement encryption.

Aside from the absence of laws, judiciary powers do not appear to be taking cybercrime seriously, judging by the punitive measures, lamented Ducklin.

According to him, a criminal who tried to sell 60, 000 stolen credit card numbers to undercover police in Perth last year, was let off on a "good behavior bond" and payment of A$150 (US$161) for court costs. The sentencing was similar to a fine of not paying toll on the Sydney Harbour Bridge, he pointed out.

"The magistrates don't seem to accept the severity of cybercrime, where lots of people's identities are stolen at a time," said Ducklin. "You're not actually punching someone or committing [a] violent crime, so these hackers can expect quite light sentences in some cases."

Users more savvy, but Facebook must up security
Ducklin added that cybercriminals are also finding Facebook an effective channel to lure victims, as seen from the security vendor's frequent blog updates of alerts of scams targeting the social media site. The popular social networking platform, he noted, is a good way to popularize dodgy sites as cyberciminals can typically reach tens of millions of users effortlessly, with many of the unsuspecting users falling prey to malicious apps and javascript injection.

Sophos published an open letter to Facebook last week, asking Facebook to take on three security issues to improve privacy and safety for its over 500 million users.

In the letter, Sophos' senior technology consultant Graham Cluley urged Facebook to--instead of being required to do so by regulators--implement opt-in functions for new features on information sharing, publish only vetted and approved third-party developer apps and enforce a "secure connection" at all times.

The HTTPS function currently requires users to turn it on in their account settings but Facebook noted that it is looking to enable HTTPS by default "sometime in the future". The social network also announced on Apr. 19 that it would automatically switch users back to the more secured connection after they have used a non-HTTPS application.

Ducklin said he is puzzled as to why Facebook users willingly allow apps from unknown or suspicious companies, access to their personal information. "Do you really want to allow someone you do not know to post articles as if it were you? It seems crazy but we're trying to bring the [preventive] message across," he pointed out.

Rogue apps are not only the ones making their rounds in the social media site now, he said. Another recently introduced 'feature' claiming to allow users to view stalkers or frequent visitors to their page, is actually a javascript attack that injects malicious codes when users try to access it through browsers.

Many URLs these days are shortened, making it very difficult "to see where you're going", he added.

Bogus surveys are also contributing to the underground economy, where users, lured by bogus iPhone and iPad prizes, are willing divulge information online to dodgy Web sites, said Ducklin. Not only are such information obtained by cybercriminals, users' computer systems may also be infected as these sites may trigger some form of exploit via browsers, he shared.

However, Ducklin acknowledged that an increasing number of people are now more aware of online scams. Citing an impromptu video survey in Singapore he conducted last year, where 20 locals and tourists were quizzed on whether they would divulge information for a free iPad, at least half stood firm against giving in to such "temptation".

"I was quite pleased that the results were 50-50, they were either willing or not willing to divulge any information," he said.

"If we did the same thing three years ago, when Facebook was still quite new, people either wouldn't be on it yet, or would be more than willing to partake in the 'fun'."

Topics: Software, Apps, Browser, Collaboration, CXO, Government : Asia, Hardware, IT Employment, Legal, Mobility, Security, Social Enterprise

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Related Stories

The best of ZDNet, delivered

You have been successfully signed up. To sign up for more newsletters or to manage your account, visit the Newsletter Subscription Center.
Subscription failed.