The biggest data breaches in the ASEAN region

Recent important data breaches in Southeast Asia evidence the region's weaknesses in the areas of cybersecurity and data protection

Hacker stealing data

With its dynamic position as one of the fastest growing digital economies in the world, the ASEAN region has become a prime target for cyberattacks.

According to AT Kearney’s report “Cybersecurity in ASEAN: An Urgent Call to Action”, ASEAN countries are being used as launchpads for cyberattacks, either as vulnerable hotbeds of unsecured infrastructures where numerous computers can be infected easily for large-scale attacks, or as centres for a single point of attack to gain access to the hubs’ global connections.

The report also found out that Malaysia, Indonesia and Vietnam are global operational bases for major blocked suspicious web activities, up to 3.5 times the standard ratio, making them hubs for hackers to launch malware attacks.

The World Economic Forum 2019 global risk report has named cyber-attacks and data breaches as the fourth and fifth most serious risks facing the world today. It's the second year in a row in which these threats have been present in the top five list of risks.

Aware of the threat that cyberattacks are posing to the region, last September the 10 members of the ASEAN bloc agreed to 11 voluntary, non-binding norms of responsible behaviour to strengthen cybersecurity.

These norms had been proposed by the United Nations in 2015 and include proposals for individual states to not knowingly allow their territory to be used neither to commit “wrongful acts using information and communications technology” nor to damage critical technological infrastructure.

Below we have compiled a list of the most serious data breach incidents in the ASEAN region during the past few years.

Thailand and Vietnam, March 2019: Toyota suffers a chain of data breaches

In mid-March, Japan's Toyota Motor Corporation revealed that unauthorised access had been detected on servers at its subsidiaries in Thailand and Vietnam.

On its Thai website, Toyota issued a notice stating that the company was "aware of a possibility that some of Toyota’s entities in Thailand were targeted by a cyberattack and that some of its customer data may have been potentially accessed. While we have no evidence of customer information loss at this moment, details are currently under investigation, and we intend to share further specifics, if any, as soon as details are available."

A similar notice was published on its Vietnamese website and to date there are no further details as which personal data might have been breached and how many customers might have been affected.

A month earlier, the multinational car manufacturer had suffered a cyberattack in its Australian subsidiary, which caused disruptions to its IT systems, including phone and email communications.

But the worst attack came on March 21, when personal information belonging to 3.1 million clients was exposed as a result of a data breach in its sales offices in Japan.

The exposed data included names, addresses, dates of birth, occupation and other information. The company said that payment card information was not exposed.

Some experts suggested that Toyota Australia was likely targeted by a Vietnam-linked advanced persistent threat (APT) group tracked as APT32 and OceanLotus, which researchers have described as highly sophisticated.

APT32 has been linked in the past to large-scale hacking attacks conducted on automotive companies.

According to Mitre Att&ck database, APT32 is a threat group that has been active since at least 2014. The group has targeted multiple private sector industries as well as foreign governments, dissidents and journalists. APT32 attacks have taken place mainly in Southeast Asia, including Vietnam, the Philippines, Laos, and Cambodia. The group is believed to be Vietnam-based.

Philippines, January 2019: Cebuana's marketing server breached

More than 900,000 clients of Philippine-based pawnshop Cebuana Lhuillier were affected by a data breach on 19 January. According to the financial institution, the figure represents only 3% of its total clientele.

Cebuana Lhuillier, popularly known as Cebuana, is the leading and largest non-banking financial services firm in the country which provides microloans, pawn-broking, money remittance, bills payments and business-to-business solutions.

On the official statement released by Cebuana it was revealed that customers’ compromised information included date of birth, addresses and source of income. It also said that transaction details were not compromised and that the company’s main servers remained “safe and protected”.

The breach involved an email server used for marketing and although attempts to use one of its servers were detected on January 15, unauthorised downloads go back to August 2018.

Cebuana said on the statement that it had reported the breach to the National Privacy Commission (NPC) and Raymond Liboro, privacy commissioner, said it is investigating the incident.

This has been a bad start of the year for the Philippines, as on top of the Cebuana case, concerns over the security of Filipinos' passport data were raised after Foreign Secretary Teodoro Locsin claimed that an outsourced company "took all the data" when its contract terminated.

However, the Department of Foreign Affairs has denied a data breach and said that it has "full control" of passport data belonging to Philippines' citizens.

Singapore, January 2019: second health data breach in six months

This week it was revealed that confidential information belonging to 14,200 people diagnosed with HIV was stolen and leaked online in Singapore.

According to a statement published by the country’s Ministry of Health (MOH), the compromised personal data included names, contact details (phone number and address), HIV test results and other medical information of some 5,400 Singaporeans and 8,800 foreigners dating up to January 2013.

The name, identification number, phone number and address of 2,400 individuals identified through contact tracing up to May 2007 were also included.

Authorities believe that the person behind the breach is Mikhy Farrera-Brochez, a 33-year-old US citizen who lived in Singapore between 2008 and 2016. He was convicted and jailed for fraud and drug-related offences in 2016 and was deported last year upon completion of his jail sentence.

Farrera-Brochez used to be the partner of Ler Teck Siang, the former head of Singapore's National Public Health Unit, who was convicted for helping him falsify his medical records to disguise the American’s HIV-positive status.

Until 2015, foreigners with HIV were not allowed to visit the island state, even as tourists. Today, any visitor who wants to stay in the country for more than 90 days, including for work, is subject to mandatory medical screening to guarantee that they are not HIV positive.

Ler offered his own blood labelled as Farrera-Brochez's to allow him entry to the country.

Singaporean officials said that they were first made aware that Farrera-Brochez may have had access to the confidential information in 2016 but believed that all material had been seized and secured by the police.

According to the MOH statement, “while access to the confidential information has been disabled, it is still in the possession of the unauthorised person, and could still be publicly disclosed in the future.”

Singapore, July 2018: the city-state suffers its largest data breach

Last summer Singapore was subject to the largest data breach in its history with 1.5 million patients to SingHealth’s specialist outpatient clinics affected by it, including Prime Minister Lee Hsien Loong and several ministers.

Personal information stolen included names, National Registration Identity Card numbers, addresses, gender and dates of birth. 160,000 patients had details related to outpatient dispensed medicines as well.

A committee of inquiry (COI) was set in October to investigate into the events and contributing factors leading to the cyber attack.

During the COI, which finished on 30 November, it was established that intrusions into SingHealth's electronic medical records (EMR) system - a critical information infrastructure in Singapore - began undetected on June 27 but were discovered on July 4 and terminated by a database administrator at Integrated Health Information Systems (IHiS), the agency which runs the IT systems of all public healthcare institutions in Singapore.

It took six days since the attack began to be discovered and halted because IHiS staff initially thought that no data had been stolen.

The COI also concluded that IT gaps and staff missteps contributed to incident.

Five “top priority” recommendations were proposed by Solicitor-General Kwek Mean Luck for Singapore’s healthcare institutions to work on, including raising awareness of cybersecurity and tighter control of privileged administrator accounts.

Philippines, May 2018: Wendy’s and Jollibee asked to take preventive measures against data breaches

Last May the National Privacy Commission of Philippines (NPC) gave popular fast-food chain Jollibee Foods Corporation (JFC) 10 days to come up with a plan to rehabilitate the vulnerabilities in its website, which could expose the data of millions of customers in the case of a breach.

In addition to this, the NPC also ordered Jollibee to “employ privacy by design” in re-engineering JFC Group’s data infrastructure. The food chain will also need to conduct a new privacy assessment, while filing a monthly progress report, until the issues in the system are addressed.

The NPC emitted these cautionary warnings after Wendy’s, another US fast-food chain with operations in the Philippines, was subject to a data breach earlier in the year.

Over 80,000 records, including users’ personal data, were exposed following an infiltration by hackers of Wendy’s Philippines website.

The NPC reported on May 4 that around 82,150 records of customers and job applicants including names, addresses, passwords, payment method and transaction details were compromised in the leak.

In relation to the case, the NPC issued an order addressed to Wendy's in Philippines to inform users affected by the data breach. The document, which the NPC released on May 2, gave a 72-hour extension for the fast-food chain company to comply.

“On an analysis of the information exfiltrated, it can be ascertained that the exposure of certain sensitive personal or financial information within the database puts the affected data subjects in harm’s way,” the NPC’s order states.

Thailand, March 2018: True Corp's data gaffe

In March 2018 security researcher Niall Merrigan revealed that the identity documents of around 45,000 customers of True Corp, Thailand’s second-biggest mobile network and the flagship company of billionaire Dhanin Chearavanont's Charoen Pokphand Group, had been exposed.

Merrigan discovered the personal details belonging to customers of True Corp's e-commerce subsidiary iTrueMart (now WeMall) stored in a public-facing Amazon S3 bucket in March.

The 32GB data cache included 45,736 files, consisting mainly of JPG and PDF scans of identity documents including scanned ID cards, driving licences and possibly passports.

Merrigan said that True Corp was wrongly assuming that the incident was a hack, but there was no security on the data bucket and anybody could have found and downloaded the files.

According to the Bangkok Post, Telecoms regulator NBTC is investigating the incident and may force True Corp to compensate its customers for exposing their details. The stored identity records may have been collected as part of the Thai government's mandatory SIM registration scheme, which has already been a target of identity thieves and has been opposed by privacy advocates.

But a cloud expert noted that because the default setting for the AWS S3 service is private, True had to have intentionally set the data to public.

Malaysia, October 2017: Fiasco at the Malaysian Communications and Multimedia Commissions

In what’s Malaysia’s darkest data breach episode to date, more than 46 million mobile subscribers’ data was stolen and leaked on to the dark web.

Considering that the state has a population of 32 million, it is believed that the whole country was affected, including foreigners using pre-paid mobile phones.

The leaked information includes mobile numbers, unique phone serial numbers and home addresses.

Personal information from multiple Malaysian public sector and commercial websites was also stolen, making Malaysians vulnerable to social engineering attacks and even phone cloning.

Although the Malaysian technology news website claimed that it reported the breach to the Malaysian Communications and Multimedia Commission (MCMC) after receiving a tip-off, the watchdog asked to take the news article down.

The tech website was informed that someone was trying to sell huge databases of personal details from at least 12 Malaysian mobile operators for an undisclosed amount of Bitcoin on its forums.

A vast amount of personal data was also stolen from and six different official Malaysian organisations, including the Malaysian Housing Loan Applications and the Academy of Medicine Malaysia. founder Vijandren Ramadass told The Star that all information it had received on the matter was handed over to the MCMC.

1 2 Page 1
Page 1 of 2
Survey says! Share your insights in our 2020 CIO Tech Poll.