Singapore security lapses underscore need for risk assessment

Recent security incidents and evolving legislations, including cross-border policies, highlight the need for businesses and consumers to assess potential risks and decide how much they are willing to absorb.
Written by Eileen Yu, Senior Contributing Editor

With a security landscape that's increasingly challenging as well as evolving, where legislations including cross-border policies remain fluid, businesses and consumers need to assess their potential risks and decide how much they are willing to absorb.

This has become extremely clear this week where two separate security incidents in Singapore put in question the ability of service providers to adequately protect their networks, and as such, the personal data of their customers. In particular, K Box Singapore has come into much scrutiny for putting at risk the personal data of its more than 317,000 members after its database was breached by a hacker group, called The Knowns. Customer information including e-mail address, contact numbers, birth dates, and membership details such as the number of loyalty points earned have reportedly been leaked.

At a workshop this morning, Bryan Tan, a partner at Pinsent Masons and lawyer specializing in technology, noted that two key questions need to be addressed in the K Box breach. First, the company may have violated Singapore's Personal Data Protection Act (PDPA) if it collected personal data without customers' consent. Second, it may need to now demonstrate it showed due diligence in undertaking reasonable security measures to protect its database and IT systems, Tan explained.

The PDPA mandates that businesses operating in Singapore are obliged to "protect personal data in its possession or under its control by making reasonable security arrangements to prevent unauthorized access, collection, use, disclosure, copying, modification, disposal or similar risks".

Rolled out in phases, provisions in the act relating to the Do-Not-Call (DNC) Registry came into effect on January 2, 2014, while the main data protection rules took effect on July 2, 2014, so companies would have time to review and adopt the necessary measures to ensure compliance.

Local education company, Star Zest Home Tuition, was the first company to be charged under the DNC Registry in June for contacting and marketing its services to potential customers without first getting consent.

Should K Box be found to have violated the PDPA, it would be the first company to be charged under the main provisions of the act, which carry higher penalties than those outlined under the DNC Registry, Tan noted.

The Personal Data Protection Commission (PDPC) is currently investing the incident. Until it completes its investigation and releases its findings, customers of K Box will not be able to initiate any private legal action should they wish to seek legal recourse for the violation of their privacy, he said.

Elaborating on the security breach, FireEye Asia-Pacific CTO Bryce Boland said: "Given the type of site K Box was running, the attackers most likely used a SQL injection vulnerability in the application to recover the user database. Perpetrators would not need much IT experience and the tools required to conduct such a breach are both available online and easy to use.

"Unfortunately, many companies still do not fully realize the extent of their vulnerabilities until such a massive data leak is made public," he said.

Conflicting global legislations highlight need for risk mitigation assessment

Amid this apparent fog of security ignorance, it has become glaringly clear that businesses and consumers alike cannot afford to blindly agree to Terms of Service or accept service agreements without first assessing the potential risks.

To further murk up waters, regulations around newer technology such as cloud and Internet of Things continue to evolve and much remains unclear how various jurisdictions around the world handle cases involving such deployments.

Cloud data, for instance, was assumed outside the reach of cross-border legislations if it sits outside the host country. However, a New York-based U.S. Magistrate Judge James Francis in June ruled that local search warrants must include customer data stored in servers located outside the U.S., referring to a case involving a search warrant issued to Microsoft for a customer's e-mail data stored in Dublin, Ireland. The data center houses European citizen data.

Microsoft is still challenging the ruling, but this highlights much ambiguity over customer data sovereignty hosted in the cloud.

I asked Neil McInnes, a partner at Pinsent Masons and lawyer specializing in corporate crime, for his thoughts and he acknowledged that there were still grey areas concerning such legislations, especially when there are conflicting regulations on data privacy across the globe.

To address such concerns, McInnes urged companies that are looking to adopt cloud services or technologies that involve potentially contentious legal issues, to carefully consider and assess the risks and decide how much they are willing to absorb.

"You need to think about how the systems are designed and how you're going to manage these challenges and the sysmatic risk," he said. "Regulators routinely, in my experience, will not necessarily be sympathetic [toward businesses]."

"So I would suggest companies do risk mitigation assessment, consider the different legislations that could impact their business, and decide if they want to, for instance, adopt cloud services. They need to consider if they're prepared to face the risk and how they would respond to the potential risks if they adopted a certain digital strategy," he explained.

Editorial standards