Protecting Individuals and Businesses From Data Breaches

There has been an increase in the number of reports of data breaches globally. For individuals, the data breached may include personally identifiable information (PII) such as an individual’s name, NRIC number, mobile number, address, email address, bank account number or credit card details. Threat actors may use such information to carry out targeted phishing attacks or compromise other accounts, such as resetting passwords or requesting for one-time passwords. For businesses, the impact of data breaches can also be severe, resulting in a loss of trust or reputation for the businesses, as business or customers’ personal data is leaked or put up for sale online. In some cases, the data is held at ransom by cyber criminals, and may not be returned even if a ransom is paid. 

For individuals, practising good cyber hygiene measures can help to mitigate the impact of having their data exposed, in the event of a data breach. Businesses also need to raise their defences against common data breach vectors to reduce the risks of a possible data breach, and put in place adequate measures to minimise the impact of a data breach to their customers.

Common Causes of Data Breach

Weak/Stolen Passwords
Weak password management provides an easy means for threat actors to gain access into a system.  This includes the use of weak passwords that can be easily cracked, such as those that comprise personal information or easy-to-guess passwords. Passwords are the keys to a lock, and should be safeguarded in both the physical and cyber realms.

Unpatched Vulnerabilities
Vulnerabilities which are left unpatched could be exploited by threat actors to gain access into networks or systems to perform various malicious actions, such as modification of files, data exfiltration, and installation of malware or ransomware.

Phishing
Phishing is a popular technique used to obtain sensitive information such as login credentials or credit card details. A phishing email is an email disguised as being sent from a legitimate entity, tricking victims into clicking on a phishing link. Clicking the link will lead to a phishing page which would request for the victims' confidential details or cause the victim's computer to be infected with malware. Phishing may also be conducted via SMS or social media.

Insider Threats 
Insider threats may take the form of deliberate actions by disgruntled/rogue employees who knowingly leak data to competitors or sell them for financial gain. They may also take the form of unintended actions by careless employees who lose data-storage devices, or sends confidential emails to the wrong recipients. 

Cybersecurity Measures for Individuals to Manage Devices and Online Presence

• Change your passwords regularly and change it immediately if your account could have been affected in a reported data breach. Use a strong password of at least 12 characters which includes upper case, lower case, numbers and/or special characters.
• Avoid using the same password for different accounts.
• Enable two-factor authentication (2FA), where available.
• Ensure that an antivirus software is installed on your device and update it regularly.
• Perform antivirus scans regularly to remove any known malware on your device.
• Enable password protection on data storage devices and lock them up when not in use.
• Limit access to social media accounts. Also, limit sharing of personal information online as threat actors commonly look for and use such personal information to carry out targeted phishing. Review your account privacy settings and permissions, and adjust your privacy settings as appropriate.
• Turn on login alerts, if available. The platform should send you an alert when someone logs into your account from an unrecognised device or browser. Review any unrecognised login sessions immediately for unusual account activities such as setting of email forwarding rules to unknown accounts.
• Always be wary of suspicious emails and verify before clicking any links or downloading any attachments, especially if the email comes from an unfamiliar sender. 
• Verify a link in an email/SMS by checking the domain name of the site, as it is an indicator of whether the site is legitimate. Users can hover their mouse over the link to ensure that they are being directed to the URL stated. 
• Avoid using public Wi-Fi when accessing bank accounts and logging in to websites that require sensitive personal information such as banking details and login details, as others may spy on the public network and intercept it. 

When Performing Online Transactions

• Avoid using public Wi-Fi when accessing bank accounts and logging in to websites that require sensitive personal information such as banking details and login details, as others may spy on the public network and intercept it.  
• Consider designating a single credit card for all online purchases and closely monitor transaction alerts via SMS or email. Individuals may also customise a daily transaction limit to prevent large transactions from occurring if your account were to be compromised.
• Ensure that the website supports secure payment service. You can verify that the website is legitimate and trustworthy by checking the Secure Sockets Layer (SSL) certificate through the lock icon on your browser’s URL bar. This SSL certificate also enables encryption on the website through Hypertext Transfer Protocol Secure (HTTPS). Users should avoid websites that do not support HTTPS.

Individuals may also check if their email account details have been leaked in a past data breach by visiting ‘have I been pwned’ (HIBP). Email addresses flagged by the HIBP webpage are those that were exposed during a prior online platform data breach, where the email address was used as a login credential. Although it may not mean that the email account has been compromised, individuals should consider changing to a strong password and enabling 2FA on the account. Cybersecurity Measures for Businesses

To reduce the risk or impact of a data breach, businesses are recommended to adopt the following cybersecurity measures to secure their infrastructure and systems.

• Update systems, software and applications to patch existing vulnerabilities.
• Perform antivirus scans regularly, and keep antivirus software updated with the latest malware signature files.
• Install and use Virtual Private Network (VPN) for network infrastructure devices, endpoint devices, and other remote access systems.
• Encrypt important or sensitive data, both in storage and in transit (e.g. when sending over email) so that even if the encrypted data is stolen/leaked, the damage will be limited. Sensitive data should not be publicly accessible or left unencrypted. 
• Limit privileged access to authorised personnel. This reduces the risk of privileged account abuse or compromise. For sensitive systems in particular, limit access to what is necessary. 
• Review and only enable the necessary network ports and services that are required.
• Consider establishing a monitoring system or process to monitor:
  • Authentication logs for remote services and look out for suspicious account behaviour or activities across systems, e.g. if one account is logged into multiple systems simultaneously or if the login is occurring from an unexpected location.
  • Databases for suspicious activities, such as unauthorised copying or exfiltration of PII or important business data.
  • Outbound network traffic for unauthorised communications or data transmissions. For cloud-native applications, ensure proper configuration of security settings and access control. .
• Maintain an updated backup of all the important data to facilitate restoration in the event of a ransomware attack, or a data breach resulting in data loss. The backup should be stored offline and not connected to the enterprise network.
• Conduct security awareness training for employees to learn good cyber hygiene practices such as proper management of important data, and identification of phishing emails.

In addition to these cybersecurity measures, businesses should also develop a data security plan specific to the company's context that outlines how sensitive company data should be used, and the destruction of data that is no longer needed.

For Businesses with an Online Presence

• Avoid storing credit card information on your site by using a good secure payment gateway that has robust checks and validation. Examples of such payment gateway services include those that are tested and approved by the Payment Card Industry (PCI) Council If storing credit card information is necessary, businesses may wish to follow standards such as the PCI Data Security Standards.
• Enforce the need for customers to use a strong password for their online account. Where possible, businesses should implement a two-factor authentication (2FA) as part of the customer login process. 
• Install Secure Sockets Layer (SSL) certificates on your web server to secure and safeguard any data that is sent from the browser to the web server. This prevents threat actors from accessing or modifying any information transferred during a transaction, such as the customer’s personal particulars or credit card details. 
• Install web application firewalls and security plugins to block unauthorised traffic and malicious requests from accessing your network or system. This protects your web servers from common 
• Use a web application firewall to protect your website from common attacks such as SQL injection, cross-site scripting, and cross-site request forgery.
• Conduct regular code reviews and vulnerability assessments before and after deploying your web servers. Look out for possible code injections and ensure that third-party scripts or Application Programming Interfaces (API) will not compromise the servers’ security. 

Data Breach Response Plan
 
Besides preventive measures, businesses should also develop a data breach response plan that should encompass both administrative and containment/recovery actions if a data breach is detected.

Administrative Actions

• Lodge a police report if criminal activities (such as hacking or theft) is suspected.
• If you believe your employees'/customers' PII data was compromised, report the incident to the Personal Data Protection Commission (PDPC) at https://eservice.pdpc.gov.sg/case/db. PDPC has also developed a guide to managing data breaches.
• Contact your affected customers, if any, to take steps on securing their accounts.
• Develop a crisis communications plan for communicating how the company is managing the data breach.

Containment/Recovery Actions

• Conduct an internal investigation to determine how the data breach occurred. Businesses may wish to consider engaging the professional services of a vendor if the data breach occurred as a result of an intrusion into the company’s system, so as to properly clean up and remediate the breach.
• If necessary, restore your system to a clean backup, and/or rebuild the compromised system.
• Perform an antivirus scan to detect and remove any malware in the systems and patch all systems and software.
• Monitor the database and systems for any further suspicious activities. 
  

References:

• https://www.csa.gov.sg/Tips-Resource/publications/cybersense/2019/E-Commerce-Security 
• https://usa.kaspersky.com/resource-center/definitions/data-breach
• https://www.varonis.com/blog/data-breach-statistics/
• https://ifflab.org/7-major-causes-of-a-data-breach/
• https://haveibeenpwned.com/FAQs#DataSource