APAC tops the list of cybersecurity incidents

Asia Pacific (APAC) accounts for 35.9% of the global number of cybersecurity events, show the latest findings of the 2018 First Half Review of the Breach Level Index, released last week by Gemalto.

The report by the international digital security company also indicates that the APAC region was subject to 27.2% of compromised records worldwide. However, the actual figures could be much higher since most countries in Southeast Asia don’t require a compulsory report of data breaches.

Overall, the total number of records compromised worldwide in the first half (H1) of 2018 was 4,553,172,708. The number marks an increase of 133% over the first half of 2017, making 2018 the year when more data has been stolen to date.

From a sector perspective, social media giants including Twitter and Facebook witnessed the greatest number of compromised records in H1 2018 at 2,555,000,000. That’s a 14,927% increase from the previous year. Between 2017 and 2018, the number of incidents involving social media held steady at just six.

“This year social media has been the top industry and threat vector for the compromise of personal data, a trend we can expect to continue with more and more sectors leveraging these platforms to reach key audiences, especially political teams gearing up for major elections,” said Jason Hart, Vice President and Chief Technology Officer for data protection at Gemalto.

“We also expect to see more data breaches reported by European Union countries bound by the new General Data Protection Regulation [GDPR] and in Australia with the new Notifiable Data Breaches law. We should be careful not to misconstrue this as an increase in overall incidents in these areas but rather as a more accurate reflection of what is actually going on”, he concluded.

The industrial sector saw the highest growth rate amongst all other sectors, and healthcare companies experienced the greatest amount of security events in H1 2018 amongst all the industries at 256.

Malicious outsiders and identity theft on the rise

Identity theft was once again the most prevalent data breach type tracked in the Breach Level Index. It accounted for 3,972,437,893 compromised records – approximately 87.2% of the accounts breached in H1 2018.

This number also represents an important growth of 1,128% for identity theft over the previous year.

‘Malicious outsiders’ was identified as the leading factor behind most security incidents (56 %) – a change from last year’s prime data breach source, which was accidental loss.

Malicious outsiders were the agents behind Singapore’s most serious data breach to date, where the personal information of some 1.5 million patients was stolen in July from SingHealth, the country’s largest public healthcare provider.

Data protection legislation in Southeast Asia

Earlier this month, the Personal Data Protection Commision of Singapore (PDPC) imposed financial penalties of S$6,000 (US$4,362)  and S$7,000 (US$5,089) respectively on Grabcar and Club the Chambers in two separate data breach cases for failing to make reasonable security arrangements to prevent the unauthorised disclosure of individuals’ personal data.

In the case of Grabcar, the PDPC received a complaint from one of the company’s drivers whose personal data was disclosed after unauthorised disclosure through a Google Forms survey created by GrabHitch (a commercial arm of Grab).

Singapore’s PDPC has quickly established itself as one of the most rigorous and involved regulators internationally.

Despite the Personal Data Protection Act 2012 (PDPA) being a far cry from the European Union’s GDPR, nonetheless it is the most strict data protection legislation currently in place in the Southeast Asian region, where some countries still haven’t developed comprehensive data protection legislation.

Although there are no mandatory requirements under the PDPA for data users to notify the PDPC or individuals in the case of a data breach, the PDPC issued a best practice guide in May 2015 to help organisations manage personal data breaches effectively, and more recent guidelines provide practical tips on avoiding and managing risks such as accidental data disclosure.

It is recommended that affected individuals be notified immediately if a data breach involves sensitive personal data and the PDPC should be notified as soon as possible of any data breaches that might cause public concern or where there is a risk of harm to a group of affected individuals.

The PDPC’s first public consultation reviewing the Act (“PDPA Consultation”) closed in October 2017, and focused on ‘approaches to managing personal data in the digital economy’, with topics including ‘challenges for alternatives to consent’ and mandatory breach notification.