Good morning, fellow privacy professionals!
I trust that your 2019 has gotten off to a far better start than some of the companies featured in this week’s newsletter. We are only one month into the new year, and there is already a bevy of bad news to digest.
Most shocking in terms of scale is the massive data leak affecting some 2,000 websites around the world. More than 770 million email addresses and passwords have been exposed after being dumped in a hackers’ forum. This is estimated to be the third-largest data breach ever, but the largest in which the stolen information has been made public.
In the Philippines, hot on the heels of the revelation that the Department of Foreign Affair’s passport database may have been compromised, it appears that Cebuana Lhuillier, a Philippine financial service provider, may have suffered a data breach affecting some 900,000 clients.
In my hometown of Singapore, the fallout from the massive SingHealth data breach last year continues to hog the headlines. Much of the attention is naturally focused on the record financial penalty imposed by the Personal Data Protection Commission on SingHealth and its technology vendor IHiS. Combining the $250,000 financial penalty imposed on the former and the $750,000 financial penalty imposed on the latter, the PDPC has effectively levied the maximum penalty that it is able to under the Personal Data Protection Act, reflecting the egregious nature of the circumstances leading to the breach.
However, I think it is also worth mentioning that besides the PDPC’s financial penalty, significant measures, including termination and demotion, were also taken against key personnel within IHiS. Senior leaders, including the chief executive officers of both SingHealth and IHiS, also voluntarily accepted financial penalties from management.
In this regard, all privacy professionals should pay particular attention to the 453-page report issued by the Committee of Inquiry, which was constituted to look into the SingHealth breach. The PDPC’s decision in this case relied largely on the conclusions reached by the COI. Besides covering the operational gaps and procedural lapses that contributed to the data breach, however, the COI also usefully provided the following 16 recommendations on how SingHealth can better protect its database from similar threats in the future:
- An enhanced security structure and readiness should be adopted by the organization. Cybersecurity must be seen as a risk management, as opposed to technical, issue and cannot be dependent on one line of defense.
- Online security processes must be reviewed to assess their ability to defend and respond to advanced threats.
- Staff awareness of cybersecurity must be improved to better prevent, detect and respond to security threats.
- Enhanced security checks must be performed, especially on critical information infrastructure systems.
- Privileged administrator accounts must be subject to tighter control and greater monitoring.
- Incident response processes must be improved for a more effective response to cyberattacks.
- There should be partnerships between the industry and the government to achieve a higher level of collective security.
- IT security assessments and audit processes must be treated seriously and carried out regularly.
- Enhanced safeguards must be put in place to protect electronic medical records (or other sensitive personal data).
- Domain controllers must be better secured against attacks.
- A robust patch management process must be implemented to address security vulnerabilities.
- A software upgrade policy with a focus on security must be implemented to increase cyber resilience.
- An internet access strategy that minimizes exposure to external threats should be implemented.
- Incident response plans must clearly state when and how a security incident is to be reported.
- Competent computer security incident response personnel must be appointed.
- An independent forensic review of the network, the relevant database and all endpoints should be conducted post-breach to ensure that no traces of the attacker are left behind.
Do you think your company has adequately checked all the boxes above?
If you want to comment on this post, you need to login.