Singapore must be tougher on firms that treat security as value-add service

Businesses that handle customer data should be expected to do so with all the appropriate cybersecurity systems and polices in place, rather than provide these as a "value-add service", and it's time the Singapore government holds those that fail to do so accountable.
Written by Eileen Yu, Senior Contributing Editor

If recent events involving consumers' personal details are anything to go by, they signal an urgent need for the Singapore government to get tougher on businesses that fail to take security seriously and exhibit gross callousness in the way they manage customer data. 

Far too often, careless oversights and bad business practices are the source of lapses in cybersecurity incidents, and it is time organisations are held accountable or consumers will, unfairly, remain on the losing end each time something goes awry. 

Take the recent data breach involving Singapore Airlines (SIA), for instance, where a frequent flyer member was able to view someone else's personal data after logging into her Krisflyer account with her user ID and password. These details included the other member's upcoming trip, such as the destination and departure date, as well as his recent transactions, which included the number of miles he had converted using points from his credit card and a recent trip he took to Tokyo. 

SIA attributed the data breach to "a one-off software bug" that occurred when changes were made to the airline's website, affecting 285 Krisflyer members whose personal data including passport and flight details were compromised. In addition, almost 10 hours had passed before the glitch was fixed. 

Commenting on the incident, Synopsys' managing principal of software integrity group Nabil Hannan said software bugs such as these were "very common", especially in applications where the authentication and authorisation structures were not well designed. 

"When building the application, it is most likely there were some basic flaws in the design of how authentication is performed to determine who can access what data," Hannan explained. He noted that these could lead to circumstances in which "simple changes" made in the software could cause undesired results and "horizontal privilege escalation", where one customer could be shown another customer's private data. 

He added that such errors can be easily avoided if security checkpoints are established across the application's development lifecycle. This could entail having proper security measures on how data is to be protected and authenticated, and performing regular security assessments, such as security code review and penetration tests to identify potential vulnerabilities. 

Beyond that, it should be expected that organisations have "checkpoints" in place to handle the aftermath of a security breach or incident. Following the discovery of the software glitch, SIA did not update its security page or post an alert on its homepage to notify customers on what they would need to do if they were among those affected. 

The airline also did not dispatch an update or instructions to its call centre agents so they could better handle customer queries related to the security incident. Instead, one customer agent told ZDNet, quite inaccurately as it turned out, that there had been no reports of any security issues. 

The ability to react and respond quickly is especially critical in instances where there is an actual security breach, such as the one involving SingHealth, where the personal data of 1.5 million patients were compromised. An investigation later revealed several lapses, in particular, tardiness in raising the alarm -- staff took almost a month before notifying senior executives about the breach. 

Security can't be a value-add service

Above all, the crux of the problem is that some organisations still treat security as an afterthought or, worse, a value-add service they provide for customers. 

A while back, I walked into a branch of a local bank to find out why I was not receiving SMS notifications when I made PayNow transfers, as I assumed this was a requirement. The interbank funds transfer service is part of the Singapore government's efforts to drive cashless adoption in the country.

When I told a customer service staff at the bank that my friends receive such SMS alerts when they made PayNow transactions with their bank, he replied that enabling SMS notifications was not mandatory and that competing banks provided it as "a value-add service". 

See also

It baffled me that a basic security feature for a payment service is considered a bonus feature for consumers and that a bank representative would feel so smug about not offering it to its customers. 

As it turned out, I was later informed that a software bug was actually the cause of the missing SMS alerts and had just been fixed when I approached the bank. 

It should worry consumers that organisations continue to regard security on a "best effort only" basis, especially as businesses increasingly demand more of our personal data in exchange for services -- including essential services such as banking and healthcare. 

Despite the frequent reports of security breaches and growing calls for companies to adopt stronger cybersecurity measures, businesses remain recalcitrant and callous with their customers' private data and, as we have seen, sorely lacking in their own security policies and deployment. Google, Twitter, and Facebook, are only a small handful that have disclosed critical security loopholes in the past year. 

One of the surest ways to force businesses to take heed is to ensure their management and leadership teams are held responsible for any security lapse. Financial penalties, for instance, should be paid out from the paychecks of these executives. This would compel business leaders to get involved in their company's security strategy and ensure the necessary resources are allocated to support such initiatives. 

WhiteHat Security's vice president of corporate strategy Setu Kulkarni said the SIA data breach should serve as a wake-up call for the industry. "For all intents and purposes, today's airlines are tech companies and they need to implement security as such," Kulkarni said. 

"Airlines need to model their security endeavours around the hundreds of thousands of customers who trust them to protect the private information they are required to share in order to fly."

In fact, he noted, every company that handles sensitive data -- not just airlines -- needs to make security "a consistent, top-of-mind concern" and regard all IT systems as vulnerable assets that must be secured. Kulkarni said: "This means protecting all potential points of entry, including APIs, network connections, mobile apps, websites, and databases."

It frustrates me to see businesses demanding more and more of my personal data, but not doing equally as much to demonstrate how they are keeping it safe and ensuring they have the systems and checks in place to secure it. 

If companies still are not motivated to do so amid growing security threats, then it is time the government puts more pressure so these businesses get the push they need to operate appropriately. 

The report on the SingHealth breach is due to be published later this week and I hope it includes recommendations for some paychecks to be docked. 

Related Coverage

Singapore Airlines data breach affects 285 accounts, exposes travel details

Singapore carrier points to "a software bug" as the cause of the breach that occurred when changes were made to its website, compromising personal data of 285 customers including seven whose passport details were exposed.

Singapore Airlines customer logs into account, sees stranger's personal data

Frequent flyer member successfully logs into her Krisflyer account using her user ID and password, but sees personal details of someone else, including the booking reference for an upcoming trip, recent activities, and personal email.

Singapore touts open platforms in smart nation drive, acknowledges need to do better in security

New pilots including a drowning detection system are in the works, as the government continues to push its smart nation goal alongside an open, API-driven framework. But it stresses the importance of security in rolling out new services and acknowledges the country needs to do better, particularly, following the SingHealth data breach.

Singapore suffers 'most serious' data breach, affecting 1.5M healthcare patients including Prime Minister

Government describes attack as "deliberate, targeted, well-planned" and assures no medical data has been tempered with, but security vendors warn compromised data may end up for sale on the Dark Web.

Singapore industry needs stronger codes of conduct as consumer data gains value

As businesses capture more information about customers, consumers need to be more informed about such practices and industry guidelines and codes of conduct must evolve to ensure responsible data use.

Editorial standards