The biggest data breaches in the ASEAN region

Recent important data breaches in Southeast Asia evidence the region's weaknesses in the areas of cybersecurity and data protection

1 2 Page 2
Page 2 of 2 founder Vijandren Ramadass told The Star that all information it had received on the matter was handed over to the MCMC.

The MCMC only accepted the data breach a day later in a press statement released on Facebook, later confirming that 46.2 million mobile subscribers were affected by the data breach.

Singapore, September 2017: Reputation debacle for AXA Insurance and Uber

Before this month’s catastrophic health data breach, Singapore had already an open record of serious breach incidents in its territory.

In September 2017, 5,400 AXA Insurance Singapore customers were affected by a data breach in the company’s online health portal.

Information stolen included email addresses, mobile numbers and date of birth. However, AXA was quick to reassure that no other personal data, including name, postal addresses, financial details, medical records or claims history, had been exposed.

In an email to its customers, AXA’s data protection officer Eric Lelyon said: “We wish to inform you that because of a recent cyberattack, personal data belonging to about 5,400 of our customers, past and present, on our Health Portal was compromised."

To reassure its clients he continued by saying that "no further action is required from you as the information that was compromised is not likely to, on its own, expose you to identity theft."

Ironically, in 2014 the insurance corporation had introduced an online risk insurance service in the city-state to protect customers and businesses against cyberattacks.

And in December, just a couple of months after AXA’s episode, Uber disclosed that personal data belonging to 380,000 of its customers in Singapore had been subject to a leak the previous year.

The popular but controversial riding company only released the news after disclosing that the details of 57 million worldwide Uber riders and drivers had been exposed. Not only that, Uber paid $100,000 to the hacker responsible to destroy the data in an effort to cover up the leak.

This move, which was approved by Uber’s former CEO Travis Kalanick, didn't work too well for the organisation and the company’s CSO, Joe Sullivan, was sacked shortly after the incident made headlines. However, to this day Uber has avoided paying any significant fines in regards to this episode.

If Uber’s breach had happened after the introduction of the EU’s GDPR, the company could have been fined 4% of its global annual revenue ($23.5 million).

"Uber has played a risky game here, not only concealing the hack but exacerbating the problem by paying off the hackers”, said Dean Armstrong, cyberlaw barrister at Setfords Solicitors. “This will simply encourage them further and result in more attempts to steal personal data from organisations."

Vietnam, July 2016: trouble in the airports

Airlines around the globe are becoming favourite targets for hackers, as recent attacks on British Airways, Air Canada and Cathay Pacific systems show us.

On July 2016, 410,000 clients of Vietnam Airlines saw personal information compromised after the national flag carrier’s website was subject to a cyberattack by self-proclaimed Chinese hackers.

The data stolen, which was then leaked on the internet, belonged to VIP members of the airline’s Lotusmiles scheme. It included names, birthdays and addresses.

The politically motivated attack also affected flight information displays and speaker systems at Tan Son Nhat International Airport and Noi Bai International Airport, the country’s biggest airports.

Intercepted screens showed derogatory messages in Chinese against Vietnam and the Philippines in their territorial row against China in the South China Sea.  

Vietnam Airlines website page was replaced by the same picture which was showing on the airports’ displays.

Banks raised concerns in the aftermath of the data breach about the use of the leaked information to steal their clients’ money, as many Lotusmiles members had used bank cards to complete transactions with the airline.

Currently Vietnam Airlines website has a clause on its customer privacy notice where it states that in case of a data breach, the company will follow the European Union’s General Data Protection Regulation (GDPR) and contact affected clients with an immediate effect.

The airline now also has a designated data controller and data protection officer (DPO).

Thailand, March 2016: Expats data compromised

Late on a March Sunday afternoon, social media users noticed that a database containing the names, addresses, job titles and passport numbers of more than 2,000 foreign nationals living in Thailand’s southern province was widely available online.

The website where the information was published carried the Thailand immigration police seal but used a private Thai web address, which is not usually associated with government sites. The data was openly accessible without a password and some users even guessed the administration password, which unsurprisingly was 12345.

The site also featured a digital map pinpointing the expats’ location and their personal details, making it a cause for worry to hundreds of foreigners living in the southern region of the Asian country.

When authorities ordered to take down the website on the following Monday, it was already too late. The site’s existence had gone viral and it had become another stain in the government’s cyber security record, which in 2016 had seen the websites of the police, courts and correction departments hacked.  

Thai Netizens, a digital advocacy group, tracked down the website's owner, a developer called Akram Aleeming, who later posted a statement on Facebook saying the site had mistakenly been made public during testing stages. According to his statement, the immigration police had commissioned the website.

Philippines, March 2016: “The biggest government data breach in history”

On 27 March 2016, 55 million voters in the Philippines were subject to what’s been deemed the “biggest government data breach in history” after the entire database of the Commission on Elections (Comelec) was hacked and leaked.

Behind the attack was a group self-named Anonymous Philippines. Following the breach a second hacker group, LulzSec Pilipinas, posted the database online and since then it has been widely shared by others.

Anonymous Philippines is a hacktivist community likely to be connected or inspired by the global Anonymous hacker network, which has rallied supporters in over 20 countries globally against government corruption and internet censorship.

Among the data stolen from Comelec, which was distributed on both the dark and clear web, were 228,605 email addresses and 1.3 million passport numbers of overseas Filipino voters and 15.8 million fingerprint records.

Other information contained within the breach included postal addresses, place of birth, height, weight, gender, marital status and parents' names. Although dates of birth and names were encrypted, the rest of the data wasn’t.

In an interview with WIRED, security expert Troy Hunt said that the leaked database was a “real hodgepodge” of data structures, with file names suggesting careless copy-and-pasting of old versions, poor maintenance and lenient management.  

In 2013, #pR.ison3R, claiming to be part of Anonymous Philippines, posted on Facebook three mobile phone numbers belonging to Benigno Aquino III,  the country’s then president.

Copyright © 2019 IDG Communications, Inc.

1 2 Page 2
Page 2 of 2
Survey says! Share your insights in our 2020 CIO Tech Poll.