Malaysia and Australia suffer massive data breaches
The spotlight on cybersecurity has intensified following news of massive data breaches suffered in Malaysia and Australia.
Malaysian authorities are currently investigating an attempt to sell the personal data of more than 46 million mobile phone subscribers, in what would be one of the largest ever data breaches to occur in Asia.
The breach was first reported by local news publication Lowyat.net, after receiving a tipoff that someone was trying to sell personal data on various internet forums.
The Malaysian Communications and Multimedia Commission and the police are currently investigating, and are reportedly closing in on several suspects and expect to complete their enquiry soon, according to a statement from a Commission minister.
The leaked data is believed to include the mobile phone numbers, ID card details, home addresses and SIM card data of roughly 46.2 million mobile phone subscribers across 12 network operators. In echoes of the recent Equifax case, the concern is that this data can be used to create false identities in order to make purchases online.
A BBC report has stated that almost every Malaysian could be affected, including tourists on temporary prepaid numbers. Also of concern is just how long the data was being offered for sale before the breach was reported, with an anonymous source cited by Reuters disclosing that the stolen data had attracted considerable interest on the so-called ‘dark web’ from people looking to purchase the data using bitcoins.
Meanwhile, in Australia almost 50,000 government employees across government agencies, banks and a utility have had their personal data exposed online by a third-party contractor, in what is the second largest data breach to have taken place in the country.
A report from iTnews stated that the exposed data was discovered by a security researcher who found names, phone numbers, IDs, email addresses, credit card details, staff expenses and salary information among the leaked content.
Some 25,000 staff records from insurer AMP accounted for half of the data, along with Rabobank, services firm UGL, some 3,000 records from the Australian Department of Finance, the Electoral Commission and the National Disability Insurance Agency.
The data had been stored on databases created back in march 2016 as backups and they are believed to have been exposed by a single, as yet unnamed, third-party contractor.
The Australian Cyber Security Centre has stated that the exposed information has now been made secure, while AMP has said that the matter was swiftly dealt with. Nevertheless, as with the Malaysian case, the concern is that data may have already been used to commit financial fraud by enabling the creation of fake identities, and questions still remain about who has been notified and when.
Cybersecurity experts are also commenting on the apparent vulnerabilities of cloud services, which are increasingly used by companies and agencies to store sensitive data, as well as potential weaknesses in digital supply chains. The Australian Cyber Security Centre said it has secured the information, while AMP also stated that the matter was swiftly dealt with. Other affected companies did not comment.
“In recent years, companies and public bodies are finding that the weak link in their cybersecurity strategy is not, in fact, their own cybersecurity defences. Increasingly, the chink in an organisation’s armour comes from the smaller companies they do business with,” said Oz Alashe, CEO and founder of CybSafe.com, who was quoted by Silicon Republic.