Users are (by far) the most common reason that data breaches occur, as endpoints and identity credentials like passwords are frequently how hackers gain access to the organization’s sensitive data.

Tokopedia suffered Indonesia’s largest data breach including theft of personal data, like e-mails and passwords for 91 million accounts. (Photo by BAY ISMOYO / AFP)

SEA businesses exposed to highest rate of data breaches globally

May 6 was World Password Day, reminding everyone that their logins need to be frequently updated to maintain a high level of security and evade the attention of malicious parties, looking for vulnerable systems to exploit. It also reminds that users are by far the most common reason that data breaches occur, as endpoints and identity access credentials including passwords are frequently the means by which hackers gain access to the organization’s sensitive data.

In Southeast Asia (SEA) – considered the fastest-growing region in the world with burgeoning economies like Indonesia, Singapore, Vietnam, Malaysia, Thailand, and the Philippines – reported incidences of data breaches have shot up exponentially in the past year, marking the region for the biggest increase in reported data breaches worldwide.

The Allianz Risk Barometer 2020 reports that cyber incidents, including data breaches, rank as the most serious business risk globally. And nowhere does the cyber risk seem costlier recently than for SEA businesses, with IBM Security’s 2020 Cost of a Data Breach Report showing that the average security breach is now costing US$2.71 million per organization across SEA.

This is an increase from the US$2.62 million per organization reported in 2019. The IBM report is based on in-depth interviews with over 3,200 security professionals in organizations that suffered a data breach within a 12month period.

Alongside cloud misconfigurations, the report lists stolen or compromised credentials as the most common causes of a malicious breach for companies, representing nearly 40% of incidents. Such incidents have increased sharply throughout the region over the past year, as the regional businesses grappled with a quicker pace of digitalization brought about by necessity, reverting to work from home and adopting cloud and other digital collaboration tools.

In the rush to adopt all these new software, staff were often unprepared or lacked sufficient training in their new tools, potentially allowing exposed endpoints and identity credentials that were not strong enough to withstand concerted password hacks from committed hackers.

But with the potential financial gain that can be derived from stealing valuable organization (and customer) data, user error is not the only cause of data breaches. In May 2020, news broke on Twitter that e-commerce platform Tokopedia had suffered Indonesia’s biggest data breach with the theft of personal data, including e-mails and passwords for 91 million accounts, which subsequently were put up for sale on the Dark Web and resurfaced recently going for a price equivalent to US$15.

Tokopedia dropped from being Indonesia’s 25th most visited site to 110th place immediately following the hack, and as Indonesia’s most popular e-mall has regained some market share in the past few months. The situation is a little tougher for smaller rival Bhinneka, that specializes in business supplies, which revealed just days after the Tokopedia breach that it, too, had been the victim of hacking which gained access to 1.2 million accounts.

The data gleaned from those accounts in SEA’s biggest economy can be used to initiate social engineering scams, commonly known as “phishing”, where a bad actor impersonates an official person using their personal data, usually for financial gain. Malware and ransomware, where hackers lock up company data until the firm pays a ransom, are also up 45%.

The Personal Data Protection Commission (PDPC), Singapore’s data protection watchdog, is meanwhile stating that the number of alerts it received regarding data breaches in the city-state had tripled during February and March, compared with the previous two months.

The PDPC said incidences involved firms from a variety of economic sectors, including finance, retail and manufacturing. The data compromised in those cases included names, e-mail addresses, personal identity numbers, financial details, phone numbers and postal addresses.

Hackers have exploited hastily implemented IT infrastructure and the poor cyber habits of workers with the rapid move to work from home due to Covid-19, said Yeo Siang Tiong, general manager for SEA at cybersecurity specialist Kaspersky, to the Straits Times.

Kaspersky’s products detected and blocked nearly 2.3 million web threats in Singapore during Q1 2021 – a nearly 263% jump from a year ago, which the Kaspersky GM says means that continued data breaches are inevitable.

The outlook is a bit grim for businesses in the region, as data breaches could mean irreparable reputation damage and loss of trust with its customers, but is also just as threatening for individuals whose data was exposed, and this could include the firm’s own workforce and management team.

Stepping up password protections with stronger passwords that are harder to guess, using a combination of symbols and numbers that are frequently changed, and using a password manager to manage a variety of passwords instead of just rotating three easy-to-remember passcodes, could all help provide a basic level of protection for end-users shoring up their end of the cybersecurity puzzle.

This is because the human element is still the weakest element of the puzzle, but it’s also because firms in the region are just beginning to figure out how much cyber protection they truly need. This can be seen from the early days of the pandemic: in Malaysia for instance during the initial lockdown in mid-March 2020, the total of reported cybersecurity incidents rose by a whopping 82.5% in just two weeks, compared to the same period in 2019.