SINGAPORE: On Tuesday, ride-hailing service provider Uber revealed that hackers had filched compromised personal data from 57 million riders and drivers in 2016. Yes, that disclosure came one year after the fact.
What’s worse: The company’s employees chose to pay off the hackers to destroy the data, instead of notifying the people who had been affected by the breach. Two executives, including chief security officer Joe Sullivan, were fired as a result of the incident.
At the same time, Singapore commuters had spoken up about fraudulent transactions charged to their credit cards due to “phantom” rides, although the company has since told Channel NewsAsia that it has “no reason” to believe that the two incidents are linked.
This isn’t the first time users’ data have been compromised after a company failed to safeguard the information this year. AXA Insurance said in September that personal data of 5,400 of its Singapore customers was compromised in a cyberattack, and the incident is being investigated.
To date, the Personal Data Protection Commission (PDPC) had decided to impose fines seven times to various parties for failure to comply with the Personal Data Protection Act (PDPA), including notable companies such as Aviva, PropNex Realty and Tech Mahindra.
Looking at the Tech Mahindra case as an example, the Indian IT vendor was appointed by Singtel to develop, maintain and support the telco’s OnePass log-in system. Due to a coding error, a subscriber’s NRIC number was viewed by 2,518 users and a total of 2.78 million OnePass users’ accounts were affected, according to the PDPC’s decision posted online.
Why did users choose to entrust their personal and financial details to these service providers? For Uber and Singtel, it’s clear: To easily access their respective services, whether it is to hail a ride using one’s smartphone or access their account and billing information online.
But are we getting too complacent and lulled by a false sense of security in entrusting our information to companies, with the assumption that they will keep our data safe?
Cybersecurity firm Check Point’s Tony Jarvis pointed out that companies holding customers’ personally identifiable information, financial details and other sensitive data have an obligation to keep that information safe.
“When customers provide such information during transactions with various businesses they implicitly trust that the details will be stored, used and processed in a secure manner. Any such breach should be immediately made known as it directly affects the security of each user's personal details,” Mr Jarvis said.
"LIVING IN A VERY TRUSTING WORLD"
Another cybersecurity professional, Forcepoint vice president George Chang, sounded a note of caution saying we are “living in a very trusting world”, at least digitally. The childhood warning of “be careful of the people you don’t know” doesn’t seem to be heeded when one makes the jump from physical reality to online, he noted.
“I wouldn’t pay for pizza with my credit card,” Mr Chang said, as an example of being selective in the use of digital payment methods.
And if you think it’s just financial data that is being targeted by hackers, think again.
Kaspersky Lab’s head of anti-malware research team Vyacheslav Zakorzhevsky said of the Uber hack, which saw names, email addresses and mobile phone numbers leaked, that it is important to never underestimate the consequence associated with personal information that has fallen into the hands of intruders.
“The data accessed can be used for further attacks against users, by spreading malware or any type of cyberespionage. For example, attackers can sell a stolen database with personal information on the underground market, where there is high demand,” he added.
TAKING PERSONAL RESPONSIBILITY
So, is there a case to revisit the existing laws to see if more can be done?
Currently, the PDPA stipulates that “an organisation shall protect personal data in its possession or under its control by making reasonable security arrangements to prevent unauthorised access, collection, use, disclosure, copying, modification, disposal or similar risks”.
The legislation is being reviewed, and one of PDPC’s proposal is mandatory data breach notification and for this to be done within 72 hours from the time the organisation is aware of the incident while affected individuals must be informed as soon as possible.
If this is passed, companies operating in Singapore involved in data breaches would not be able to hide what happened, as Uber did.
But beyond introducing more laws, an area which Forcepoint’s Mr Chang said the Singapore Government has been encouragingly proactive, perhaps more can be done in the public education front.
He noted that while there are resources put online to create more awareness regarding privacy and sharing of data, there are areas for improvement in the offline world.
For instance, Mr Chang said authorities can be “more proactive in pushing the message of cybersecurity and online hygiene” in terms of having TV commercials, SMS reminders and public education campaigns.
The notion that we, the users, have not paid enough care in safeguarding our personal information, especially financial ones, is usually taken as an affront. Especially when it is the companies – the data gatekeepers – that have failed us in protecting our information.
But should the responsibility lie solely on their shoulders?
We, as consumers, should also play a part in being more aware of the risks involved, and be more proactive in monitoring our digital presence, particularly personal particulars and financial information.
So the next time you order pizza delivery, or sign up for a service, do weigh up the pros and cons of the convenience afforded with personal data given.
Better be safe, than sorry, after all.