Cybersecurity maturity is observed to be nascent among organizations in Asia, with opportunities to make headway in the race to build digital resilience. In May 2023, Black Hat Asia provided insight into cybersecurity trends in the region, raising questions about data exposure, privacy, and data minimization.
In Asia, a dizzying array of security breaches leading to sizeable data exposure rendered citizens in the region numb.
Consider a series of purported data leaks in Malaysia. In May 2022, an alleged information data leak of approximately 22.5 million Malaysians born between 1940 and 2004 was said to have been stolen from the National Registration Department (NRD) and sold on the Dark Web for $10,000. Various reports mentioned that the information was possibly siphoned from the NRD through the API of MyIdentity, a centralized data-sharing platform used by government agencies. However, the Home Minister of Malaysia stated that the personal details did not originate from the NRD.
In December 2022, more suspected data leaks popped up, including one that involved almost 13 million accounts from Astro (the country’s satellite television and IPTV provider), the Election Commission of Malaysia, and Maybank. These reports led to Communications and Digital Minister Fahmi Fadzil calling for CyberSecurity Malaysia and the Personal Data Protection Department to launch further investigations. All three organizations claimed that the data leak allegations are false.
In China, another alleged case in July 2022 claimed the compromise of the Shanghai National Police (SHGA) database, which contains “1 billion Chinese national residents and several billion case records, including: name, address, birthplace, national ID number, mobile number, all crime/case details,” by an anonymous hacker, ChinaDan, as announced on Breach Forums. Reuters could not confirm the authenticity of the post, but, arguably, the shock value is clear.
Over in Indonesia, citizens classified the nation as an “open source country,” referring to the frustrating regularity with which data breaches and exposures occur. In September 2022, an attacker under the pseudonym “Bjorka” hacked into 1.3 billion Indonesian SIM registrations, exposing mobile phone numbers, national identity numbers, telecommunications providers, and more. In a tweet posted on Sept. 10, Bjorka claimed to have done so to demonstrate how easy it was “to get into various doors due to a terrible data protection policy, primarily if it is managed by the government.” The spillover effects will see citizens facing an onslaught of spam calls, spear-phishing, and other social engineering methods leveraged with the exposed data.
More Than Simple Data Shows
Omdia’s Security Breaches Tracker found that 14% of the 4,998 announcements since 2019 originated from the Asia & Oceania region, but Omdia asserts that there are more than those announced. Most security breaches in the region target governments, IT firms, manufacturing, retail, and professional services industries. The top country-level targets include India (20%), Australia (18%), Japan (12%), China (10%), and Singapore (7%), among many others.
Consistent with global trends, data exposure is the main outcome (68% of incidents since 2019) following breaches in the Asia & Oceania region. Apart from malicious hacking, organizations in this region are often compromised due to accidental exposure (19%), ransomware (13%), supply chain attacks (10%), and phishing (7%). With accidental exposures and phishing, the emphasis on human factors cannot be downplayed. The Security Breaches Tracker found that 24% of breaches were from sloppiness or negligence, while 5% originated from accidents, indicating plenty of opportunities for organizations to shore up cybersecurity awareness.
The recurring breaches affecting personally identifiable information (PII) raise questions about what organizations in this region are doing to raise defenses and safeguard systems. Among the growing suite of product offerings enabling threat detection, incident response, and continuous monitoring from leading security vendors, what areas are organizations looking to invest in? Additionally, how is end-user security awareness promoted and encouraged among enterprises in the region to address one of the major causes of security breaches? These remain opportunities for organizations in this region to prioritize proactive cybersecurity strategies.
Virtue of the Minimum
Black Hat Asia also raised the concept of data minimization — a crucial point in the discourse of collecting only what you need to fulfill a specific purpose. Under the General Data Protection Regulation (GDPR) in the European Union (EU) and the UK, the concept is included under Article 5, which covers the essential principles of data protection when processing personal data. “Not holding on to more” in the case of collecting data may prove to strengthen the case for data protection.
Evidently, alerting governments, organizations, and businesses to the importance of a layered approach to cybersecurity will take significantly more than one or two large compromises. Governance, regulations, and serious fines — beyond merely a slap on the wrist — will help reinforce the responsibility of taking greater care with data management, supported with adequate tools that help complete the proactive approach to cybersecurity.