Assume breach position does not mean firms get to skip due diligence in cybersecurity

Recognising that security breaches are "not a matter of if, but when" does not mean businesses get to be cut some slack in the event of an incident, especially when they are unable to show due diligence in safeguarding their customers' data.
Written by Eileen Yu, Senior Contributing Editor

Another week, another data breach, and this time involving another communications services provider in Singapore. With cybersecurity incidents now seemingly commonplace, more organisations must be realising it's only a matter of time before they get hit, but they'll be wrong to assume it's their advance-to-go card and they get to skip doing their due diligence in safeguarding customer data. 

MyRepublic on Friday said the personal data of 79,388 of its mobile subscribers were compromised, following a security breach on a third-party data storage platform. The affected system contained identity verification documents needed for mobile services registration, including scanned copies of local customers' national identity cards and residential addresses of foreign residents. 

I asked MyRepublic if the data storage service was cloud-based and whether it was the only client affected by the breach, but it declined to provide specifics citing confidentiality and security reasons. 

It did reveal, however, that it was informed of the breach by "an unknown external party" on August 29, which was the date it said the "unauthorised data access" was uncovered. It since had been plugged and incident "contained", MyRepublic said. 

The internet services provider is the third in Singapore to be hit by a cybersecurity breach in just six months. Just in August, local telco StarHub said a file containing personal data of its customers was found on a dump site. The file contained mobile numbers, email addresses, and identity card numbers of 57,191 individuals who had subscribed to StarHub's services before 2007. Apart from broadband and mobile, the telco also offers pay TV services in Singapore. All affected customers were from its consumer business.

Earlier in February, Singtel said personal details of 129,000 customers including name, date of birth, mobile number, and physical address, were compromised in a security breach that involved the third-party file-sharing system, FTA. Launched by US cloud service provider Accellion 20 years ago, the FTA product was nearing retirement and had vulnerabilities that were not properly patched, impacting several organisations and their customers including Shell and Morgan Stanley.

In Singtel's case, financial details of employees of a corporate client also were compromised in the breach. 

In their respective security incident, both MyRepublic and StarHub highlighted that financial details such as credit card and bank account information were not affected. They also noted that none of their own systems were compromised. 

However, that should bring little comfort since third-party and supply chain attacks are on the rise, paving multiple ways for cybercriminals to breach their eventual targets--any organisation with access to large volumes of consumer data. 

Furthermore, there's little indication that organisations are taking the necessary steps to ensure their entire supply chain is resilient and secured. Are they constantly assessing the security posture of their third-party suppliers? Would MyRepublic have known there was a data breach if the "unknown external party" had not raised the alarm? 

When I asked MyRepublic when it last assessed security measures implemented by the affected data storage vendor, it would not specify a date. It said only that it "regularly" reviewed such measures internally and externally, including that of the third-party vendor implicated in the breach. 

Wouldn't it be able to easily provide a specific date of its last assessment if that was the case? And should this be made a mandatory provision when companies report a security incident, alongside other details such as how the breach occurred and the parties involved in the breach.

The data storage vendor wasn't named in the MyRepublic breach, which should lead to further questions about whether other businesses, and their customer data, were also impacted. 

All customer data should be properly secured

Furthermore, just because security breaches do not always compromise financial data does not make these leaks any less critical. 

Singapore is small, with few key players in the telecoms market. Chances are subscribers here would have been customers of all three telcos at some point, which further increases the likelihood they were affected by all three breaches that occurred. This, in effect, means various aspects of their personal information, spanning their date of birth, national identity number, physical address, and mobile number, can be put together to establish a more complete profile. 

It also means cybercriminals will be able to use these different datasets of personally identifiable information (PII), pulled together from separate security breaches, to clear security questions or verify and assume the identity of their victims. They can convince banks to issue replacement credit cards in the victim's name, even if no financial data was compromised in any security breach. 

Data breaches involving any PII should be a concern, especially as cyber threats and risks from third-party attacks continue to increase. 

At a panel discussion in Estonia this week, Singapore's Minister for Communications and Information Josephine Teo described cybersecurity as a "wicked" challenge that could not be completely resolved.

This, in fact, prompted the country to change its cybersecurity posture from one focused on prevention, to one of "assume breach" position, Teo said. With this mindset, it assumes systems have been breached or compromised, according to the minister, who pointed to the need for constant vigilance and monitoring to identify breaches.

She said it was critical for governments to already have in place response mechanisms to swiftly recover in the event of a breach, including having clear communications to maintain public trust. 

But while it is true that It's no longer a question of "if" but "when" organisations experience a security breach, this shouldn't mean they can afford to take their feet off the accelerator in doing their due diligence and what is necessary to keep their customer data safe. 

An "assume breach" approach has motivated enterprises to focus on recovery and response, which in itself isn't wrong, because it pushes these companies to minimise disruptions to service delivery. It also ensures they are able to quickly contain the breach and recover lost data. 

However, it can divert attention and investment away from threat monitoring and prevention, which are equally as important. 

In addition, risk management efforts typically will see companies put more focus on securing more critical data -- commonly perceived to be financial and payment details, or the company's intellectual property assets. This sometimes means other non-financial customer data will be tagged less critical and parked away in a third-party or public cloud-based data storage platform, where security measures may not be as closely or regularly assessed by the organisation.

It is likely the reason why, when security incidents occur, affected systems would contain personal customer data such as their mobile number or national identification number, but not their bank or credit card details. 

Organisations have a responsibility to safeguard all of their customers' data, regardless of whether loss of that data has financial implications on their business and bottom line. As I mentioned above, theft of any PII can carry potential cyber risks for an individual, even if its loss is deemed to have little financial impact to a business. 

That means companies, including startups and mobile app platforms, that collect and store large volumes of customer information should take the necessary measures to ensure the data is secured.

Telcos, in particular, made for bigger targets due to their access to large consumer databases and communications infrastructure, Joanne Wong, LogRhythm's vice president for international markets, said in a note on MyRepublic's breach.

"As a digital-first nation, we need to get better at fending against these threats," Wong said. "We know from experience that there can be far-reaching implications of a single weak link and cannot sit still, and watch the same incidents happen time and time again. Organisations, especially in these essential sectors -- need to be proactive and have oversight across their entire digital supply chain, including any third-party vendors. Only when there is constant monitoring and surveillance, can they effectively identify and remediate threats with speed." 

On how much organisations should invest in cybersecurity, Teo urged the need for organisations to understand their risk profile and allocate the appropriate amount of resources to protect their digital assets. She added that Singapore advised local businesses to carry out risk assessments and invest accordingly, rather than going for the minimum so they are in compliance with regulations. 

Above all, an "assume breach" position does not mean consumers are expected to accept security breaches as part and parcel of dealing with businesses. 

It should mean organisations must be better able to demonstrate it has done its part in protecting all customer data, including non-financial information, within its own environment as well as across its supply chain. 


Editorial standards