Act swiftly to prevent data breaches

 

The Most EFFECTIVE WAYS to Prevent a Security Data Breach

 

THE allegation that the personal data of 22.5 million Malaysians born between 1940 and 2004, purportedly from the National Registration Department (NRD), have been stolen and sold on the dark web is a serious concern.

According to local tech portal Amanz, the 160GB database containing information such as a person’s name, identity card number, address, date of birth, gender, race, religion, mobile number, and Base54-based photo, is being sold for US$10,000 (about RM43,885) at a well-known database marketplace forum.

In a screenshot shared by the portal, the seller claimed that the database was an expanded repository from the one he sold in September last year.

In the incident last year, the personal data of four million Malaysians were allegedly leaked from the MyIdentity API (application programming interface) and put up for sale at RM35,419.

MyIdentity is a national data-sharing platform that allows government agencies to access individuals’ details from a centralised repository.

This is not the only government database that has been put on sale this year. Apparently, a couple of weeks earlier, the same seller had posted a database allegedly belonging to 802,259 Malaysian voters, obtained from the Election Commission’s website, on the black market.

And sadly, these are not the only incidences of government database breaches.

While the Home Affairs Ministry has denied that the latest database leak was from NRD, the police, on the other hand, have already started their investigation into the breach.

But whatever the outcome is, with the rising number of cases involving government personal data leaks, the authorities must be held accountable for such breaches.

Heads, especially those given the task of ensuring the safety and security of these public data, must roll.

They must be held accountable for their failure in protecting the people’s interests and in ensuring the safety and security of their private details, which could easily be abused.

The government must also act swiftly to address the weaknesses in their system and reassure Malaysians of a better solution to safeguard data stored by government departments and agencies.

It is a question of public safety.

Scammers could use the stolen data to cheat people of their money, while telemarketers would have a field day making unsolicited calls from the leaked telephone numbers of Malaysians.

To prevent leaked data from being misused, the government, including the police, must work harder to go after scammers, who could use such information to trick victims, especially via the Macau scam.Last year, 1,585 Macau scam cases were reported nationwide, resulting in RM560.8mil in losses. This year, the number has already reached 1,258 cases as at April 19, involving RM65.4mil in losses.

As for telemarketing, the Malaysian Communications and Multimedia Commission (MCMC) must be more vigilant and introduce sterner measures to prevent unsolicited calls.

Actions to stop the scammers and unsolicited calls would restore people’s confidence in government agencies despite the data breach.

Lastly, as the custodian of all Malaysians’ data, the government must also be held accountable for any breach.

Currently, the Personal Data Protection Act 2010 (PDPA) does not apply to the federal and state governments. Instead, it only covers commercial entities.

While proposals to amend the PDPA, including making the government accountable, have been made, the amendments have yet to be tabled in Parliament.

Therefore, lawmakers should seriously consider the urgency of the amendments to make Malaysians’ personal data safer in the public domain, preventing them from falling into the wrong hands for illegal use.

This has to be done quickly to prevent more of such data breaches before it is too late and puts national security at risk. 

Source link.  

 Related:

Hisham: Data leak won't affect national security

'Govt must also be held accountable' | The Star

Public fuming over another likely data leak

CLICK TO ENLARGE

PETALING JAYA: The public are outraged over another alleged data leak containing the information of 22.5 million Malaysians born between 1940 and 2004, stolen from the National Registration Department (NRD).

Many are anticipating more scam calls and SMSes as well as fraudulent online transactions to occur over the breach.

Businessman Amirul Asraf, 31, from Wangsa Melawati, said such incidents were the root cause for many the scam calls people are receiving on a daily basis.

“With these data, scammers can convince people that they are calling from the banks, courts, police and authorities. This will make people’s lives harder.

“I read a case where a poor man who obtained assistance from his local assemblyman was cheated after a scammer emptied him out. The assemblyman had to help the victim again as a result.

ALSO READ: ‘Govt must also be held accountable’

“These scammers are heartless. They don’t care if they take a lot or a little or whom they trick, as long as they get the money,” he said.

Software engineer Ahmad Ridzwan, 30, from Bukit Jalil, could only say “Malaysia Boleh” in relation to the leak taking place.

“Not sure what else to comment. This is the worst possible leak because our identifiable data is out in the open and the identity card is the most important one of all,” he said.

Sales executive Shivaendra Gunasegaram, 30, from Petaling Jaya, said smartphones and social media companies already had all data pertaining to the individuals.

As such, all personal information was accessible to many people, he said.

“As long as there are no unauthorised transactions from our bank accounts, I feel that there’s nothing to worry about.

“The advantage of being poor is that they probably won’t target my account because there’s not much in it,” he said jokingly.

Meanwhile, the data leak report continued to create a buzz in online forums and on social media, with many people expressing their unhappiness over the government’s inability to protect vital information from being leaked repeatedly over the years.On Facebook, user Zaidi Rudy said: “Brace yourselves, scam calls are coming in.”

Dennis Ooi said: “Was SOLD mean somebody have to go jail. Any action taken on those responsible. Or tangkap lepas again.”

Wan Meng Lee questioned: “Why the rakyat confidential information can be sold off is it not kept safely omg.”

Abdul Hamid said: “If they know the data being sold, they definitely know who is the seller.”

In the Lowyat forum, user bananjoe said: “Habis go and overhaul the whole new mykad. This is epic ridiculous. Government IT staff doing what ???”

Sycamore said: ”So absurd. But why am I not surprised? Absurdity is the reality.”

Radiowarrior1337 said: “This needs to kena and people head must roll. Tidak apa attitude and biar la dah hack kan so mari lepak minum teh now to discuss what scenario he obtains the data.”

Hackers in your heads, Cybercriminals preying on gullible

Cyberscammers tapping into minds - Conmen get personal data from social media

<< You’ve been had: A user checking an SMS alert about an unauthorised credit card transaction.

PETALING JAYA: Cybercriminals are getting into your head.

Realising that victims are no longer falling for the ‘I’m a Prince who wants to deposit US$50mil (RM199mil) into your account’ e-mail, these syndicates have enlisted psychologists and behavioural experts to launch targetted attacks on companies, groups and individuals.

By going through their victims’ social media accounts, they learn more about their targets and are able to craft attractive e-mail, prompting them to respond.

Clicking on the link in the e-mail will download malware that encrypts your device. Computers, smartphones, smartwatches and any other network-connected device, can be locked by cybercriminals who will only release it for a fee, or “ransom”.

Such ransomware has reached our shores, with a total of 5,069 attacks in Malaysia last year, according to cybersecurity company Symantec Corporation.

“The new modus operandi uses social engineering, with the e-mail being crafted by Malaysians who know the local scenario and how to trigger emotional reactions,” Symantec (Asia Pacific and Japan) cyber security services senior director Peter Sparkes told Sunday Star.

For example, if they find out from Facebook that you went shopping, you could get an official-looking e-mail from a trusted source like a government body or postal department saying: ‘You’ve received a free gift from shopping at our KL outlet. Click this link to trace your parcel’.

“Or if they see you at a cycling event, the e-mail could say: ‘Thank you for participating. Click on the link for photos and videos of the ride’,” he said.

“To decrypt your device, they’ll ask for about US$200 (RM782) in virtual currency like Bitcoin, to bypass the banks,” Sparkes added.

Acknowledging this new threat, Malaysian Communications and Multimedia Commission (MCMC) strategic communication head Sheikh Raffie Abd Rahman urged the public to be more alert.

He said one of the most commonly used social engineering techniques was phishing attacks targetting online banking customers.

Such cases would be investigated by the police under the Computer Crimes Act 1997 or the Penal Code.

A total of 1,311 phishing websites have been blocked by the MCMC between last year and March 8.

This includes fake pages created to acquire personal information such as usernames, passwords, banking information and credit card details by masquerading as a trusted entity in an electronic communication.

CyberSecurity Malaysia (CSM) chief executive officer Dr Amirudin Abdul Wahab said the number of incidents reported to the CSM indicates the growing threat of ransomware here.

Revealing that local businesses are also targeted, he said the CSM will work together with international communities to share current information on ransomware threats and disseminate them to the public.

Malaysian Mental Health Association deputy president Datuk Dr Andrew Mohanraj said cybercriminals have become more sophisticated in their approach by enlisting psychologists.

“But whichever methods they use, there is an underlying modus operandi of appealing to human emotions of fear, greed, curiosity, loneliness, compassion or even spirituality,” he said.

By Christina Chin and Yuen Meikeng The Star

Cybercriminals preying on gullible

Users beware! With cybercriminals leveling up, ransomware attacks are expected to spike here. Malaysians shouldn't let their guard down when it comes to personal information and should be on the lookout for online scams.

HE wasn’t the fastest, but Eugene (not his real name) feels like a champion after finishing his first marathon.

Posting a selfie he made public on his Facebook account, the 28-year-old later receives an e-mail congratulating him on the feat. “Click on this link to see more pictures and videos of the event,” says the e-mail, which appears to be sent from the organiser of the run.

Curious and hoping to see images of himself, Eugene clicks open the link on his laptop but instead, gets a message telling him his device is now locked. All his files have been encrypted and he can’t access them, including his work document to be submitted on Monday.

The only way he can retrieve them is to pay a hacker a ransom of US$300 (RM1,181) in Bitcoin currency. Such an incident, known as a ransomware attack, could very well happen to you if you are not careful.

To top it all off, these cases are expected to increase this year, with “very specific ransomware targeted very specifically at Malaysians” being detected, says Symantec (Asia Pacific and Japan) cyber security services senior director Peter Sparkes.

According to cybersecurity company Symantec Corporation, Malaysia ranks 47th globally, and 12th in the Asia Pacific and Japan region, in terms of ransomware attacks.

Last year, there were 5,069 ransomware attacks or 14 per day in Malaysia. But Sparkes foresees that these numbers will surge.

“Ransomware is very attractive because it makes lots of money. It’ll be big here in the coming months, probably averaging 20 attacks per day.

“We’ve seen a lot of smartphone attacks recently. They love WhatsApp because the best way to get someone to click on a link is if it comes from someone you know,” he says.

Sparkes describes such crypto ransomware as the latest, and most dangerous malware threat because it’s near impossible to get rid of.

He adds that the experience is very emotional because many people do not back up their data.

“For individuals, losing personal data like photos and videos is traumatic so most victims will pay. Some will even tell you how to infect your friends to decrease your ransom,” he reveals.

Ransomware hackers are also using help from psychologists and behavioural experts to study their victims on social media before sending them personalised messages to trigger a response.

But it is not just ransomware that needs to be taken seriously as Malaysians need to be vigilant over social media scams, with these two being named as key trends in the country now by Symantec Malaysia systems engineering director David Rajoo.

He says cybercrime is extremely widespread with one in three Malaysians surveyed having experienced it in the past year and 83% know of someone else who was a victim.

“Consumers here lost an average of 27 hours and about RM8.9bil over the past year, dealing with the fallout of online crime.

“The amount of personal data stored online continues to grow, and while this free flow of data creates immense opportunities, it also opens the doors to new risks,” he warns.

Cybercriminals preying on personal data are also a cause for concern here and globally.

Sparkes points out that personal assistants and those in human resources are popular targets because that’s how cybercriminals gain access into an organisation’s database.

“Take a hotel for example. I’d target the CEO’s personal assistant. All I need is 200,000 of their best guests. If I sold the details at US$50 (RM197), it’s pretty good money for a day’s work. HR staff’s another good one because they look at CVs,” he says.

Last year, 500 million personal information was breached globally. That, he says, is a conservative estimate.

Someone checks out your Facebook activities, creates a personalised e-mail to get you to click on a link, and that’s it.

Everytime you download an app on social media, you could be giving access to your life, he cautions.

Of 10.8 million apps analysed in 2015, three million were collecting way more information than necessary, Sparkes says.

“Cyber scammers are also making you call them to hand over your cash,” he adds.

They send fake warning messages to devices like smartphones, driving users to attacker-run call centers to dupe them into buying useless services.

The services industry is the most vulnerable sector in the country, attracting 72.4% of spear phishing attacks.

There was also a significant spam increase with Malaysia jumping up the global ranking from 44 in 2014 to 23 last year, he adds, lamenting how many still don’t realise that cybercrime is an industry.

Cybercriminals are professionals using very sophisticated tools and techniques.

“They work like any other legit organisation – it’s a 9am to 5pm job with weekends off, holidays and proper offices. A lot of users still think it’s 18-year-olds in the garage fooling around. Nothing could be further from truth. The guys sell info to the underground economy,” Sparkes says.

Syndicates only need three things – cheap broadband, a cyber-savvy workforce they can hire, and countries where cyber laws are weak. Asia Pacific and Japan has invested significantly to give their population access to the Internet, he adds, explaining the shocking rise of cybercrime.

“I’m particularly concerned about the senior citizens as many are just discovering the Internet. They’re very trusting and will download without questioning. People stress on being streetsmart, but it’s just as crucial to be cybersmart,” he feels.

By Christina Chin and Yuen Meikeng The Star

Related story:

M’sians still giving away sensitive info