Being one of the fastest growing digital economies in the world, the ASEAN region has become a hotspot for cyberattacks.
According to AT Kearney’s report on cybersecurity, ASEAN countries are being used as launchpads for cyberattacks, either as vulnerable hotbeds of unsecured infrastructures where numerous computers can be infected easily for large-scale attacks, or as centres for a single point of attack to gain access to the hubs’ global connections.
Malaysia, Indonesia and Vietnam are global operational bases for major blocked suspicious web activities–up to 3.5 times the standard ratio, making them hubs for hackers to launch malware attacks, the report found.
Cyber-attacks and data breaches have been ranked as the fourth and fifth most serious risks facing the world today by the World Economic Forum 2019 global risk report.
The policy preparedness to strengthen cybersecurity in ASEAN region is still nascent, with a lack of institutional oversight and low levels of spending to fortify digital economies.
Here is a quick look at some of the worst data breach incidents in the ASEAN region during the past few years, which depicts why emphasis must be laid on cybersecurity.
Thailand and Vietnam, March 2019: Toyota suffers a chain of data breaches
In March, Japan’s Toyota Motor Corporation revealed that unauthorised access had been detected on servers at its subsidiaries in Thailand and Vietnam.
On its Thai website, Toyota issued a notice stating that the company was “aware of a possibility that some of Toyota’s entities in Thailand were targeted by a cyberattack and that some of its customer data may have been potentially accessed. While we have no evidence of customer information loss at this moment, details are currently under investigation, and we intend to share further specifics, if any, as soon as details are available.”
The company published a similar notice on its Vietnamese website and to date there are no further details as which personal data might have been breached and how many customers might have been affected.
But the worst attack came on March 21, when personal information belonging to 3.1 million clients was exposed as a result of a data breach in its sales offices in Japan. The exposed data included names, addresses, dates of birth, occupation and other information. The company said that payment card information was not exposed.
Philippines, January 2019: Cebuana’s marketing server breached
More than 900,000 clients of Philippine-based pawnshop Cebuana Lhuillier were affected by a data breach on 19 January. According to the financial institution, the figure represents only 3 percent of its total clients.
Cebuana Lhuillier, popularly known as Cebuana, is the leading non-banking financial services firm in the country which provides microloans, pawn-broking, money remittance, bills payments and business-to-business solutions.
On the official statement released by Cebuana it was revealed that customers’ compromised information included date of birth, addresses and source of income. It also said that transaction details were not compromised and that the company’s main servers remained “safe and protected”.
Singapore, January 2019: second health data breach in six months
A few months ago, confidential information belonging to 14,200 people diagnosed with HIV was stolen and leaked online in Singapore.
According to a statement published by the country’s Ministry of Health (MOH), the compromised personal data included names, contact details, HIV test results and other medical information of some 5,400 Singaporeans and 8,800 foreigners dating up to January 2013.
The name, identification number, phone number and address of 2,400 individuals identified through contact tracing up to May 2007 were also included.
According to the MOH statement, “while access to the confidential information has been disabled, it is still in the possession of the unauthorized person, and could still be publicly disclosed in the future.”
Singapore, July 2018: the city-state suffers its largest data breach
Last year, Singapore was subject to the largest data breach in its history with 1.5 million patients to SingHealth’s specialist outpatient clinics affected by it, including Prime Minister Lee Hsien Loong and several ministers.
Personal information stolen included names, National Registration Identity Card numbers, addresses, gender and dates of birth. 160,000 patients had details related to outpatient dispensed medicines as well.
Philippines, May 2018: Wendy’s asked to take preventive measures against data breaches
The National Privacy Commission of Philippines (NPC) emitted cautionary warnings after Wendy’s, a US fast-food chain with operations in the Philippines, was subject to a data breach earlier in 2018. Over 80,000 records, including users’ personal data, were exposed following infiltration by hackers of Wendy’s Philippines website.
The NPC reported that around 82,150 records of customers and job applicants including names, addresses, passwords, payment method and transaction details were compromised in the leak.
In relation to the case, the NPC issued an order addressed to Wendy’s in Philippines to inform users affected by the data breach. The document, which the NPC released on May 2, gave a 72-hour extension for the fast-food chain company to comply.
Thailand, March 2018: True Corp’s data blunder
In March 2018 security researcher Niall Merrigan revealed that the identity documents of around 45,000 customers of True Corp, Thailand’s second-biggest mobile network had been exposed.
Merrigan discovered the personal details belonging to customers of True Corp’s e-commerce subsidiary iTrueMart (now WeMall) stored in a public-facing Amazon S3 bucket in March.
The 32GB data cache included 45,736 files, consisting mainly of JPG and PDF scans of identity documents including scanned ID cards, driving licences and possibly passports.
Merrigan said that True Corp was wrongly assuming that the incident was a hack, but there was no security on the data bucket and anybody could have found and downloaded the files.
According to the Bangkok Post, Telecoms regulator NBTC is investigating the incident and may force True Corp to compensate its customers for exposing their details. The stored identity records may have been collected as part of the Thai government’s mandatory SIM registration scheme, which has already been a target of identity thieves and has been opposed by privacy advocates.
But a cloud expert noted that because the default setting for the AWS S3 service is private, True had to have intentionally set the data to public.
Malaysia, October 2017: Fiasco at the Malaysian Communications and Multimedia Commissions
In what’s considered to be Malaysia’s darkest data breach to date, more than 46 million mobile subscribers’ data was stolen and leaked on to the dark web. Considering that the state has a population of 32 million, it is believed that the whole country was affected, including foreigners using pre-paid mobile phones.
The leaked information includes mobile numbers, unique phone serial numbers and home addresses. Personal information from multiple Malaysian public sectors and commercial websites were also stolen, making Malaysians vulnerable to social engineering attacks and even phone cloning.
Vietnam, July 2016: trouble in the airports
On July 2016, 410,000 clients of Vietnam Airlines saw personal information compromised after the national flag carrier’s website was subject to a cyberattack by self-proclaimed Chinese hackers.
The stolen data, which was then leaked on the internet, belonged to VIP members of the airline’s Lotusmiles scheme. It included names, birthdays and addresses.
The politically motivated attack also affected flight information displays and speaker systems at Tan Son Nhat International Airport and Noi Bai International Airport, the country’s biggest airports.
Intercepted screens showed derogatory messages in Chinese against Vietnam and the Philippines in their territorial row against China in the South China Sea.
Vietnam Airlines website page was replaced by the same picture which was showing on the airports’ displays.
Banks raised concerns in the aftermath of the data breach about the use of the leaked information to steal their clients’ money, as many Lotusmiles members had used bank cards to complete transactions with the airline.
Currently Vietnam Airlines website has a clause on its customer privacy notice where it states that in case of a data breach, the company will follow the European Union’s General Data Protection Regulation (GDPR) and contact affected clients with an immediate effect.
Thailand, March 2016: Expatriate data compromised
Late on a March Sunday afternoon, social media users noticed that a database containing the names, addresses, job titles and passport numbers of more than 2,000 foreign nationals living in Thailand’s southern province was widely available online.
The website where the information was published carried the Thailand immigration police seal but used a private Thai web address, which is not usually associated with government sites. The data was openly accessible without a password and some users even guessed the administration password, which unsurprisingly was 12345.
The site also featured a digital map pinpointing the expats’ location and their personal details, making it a cause for worry to hundreds of foreigners living in the southern region of the Asian country.