The Post-Data Breach Era in Asia-Pacific: Why a Bad Situation is About to Get Worse
Posted October 18, 2018
If you think Singapore’s biggest data breach was scary, just wait until you see the sequels.
A recent incident has compromised as many as 1.5 million personal health files, and has been described as the most serious such breach of personal data in Singapore’s history. The prospect of falling victim to a major cyberattack is a reality that all organizations now have to deal with, and preparations need to be made across the region to protect from downstream attacks using stolen personal data.
First disclosed on July 20, 2018, the data theft reportedly includes the electronic medical records of patients visiting affected state-run outpatient clinics and polyclinics between May 2015 through July 4, 2018. Those records include name, address, gender, race, data of birth and National Registration Identity Card (NRIC) numbers.
There has been speculation that the hackers may have been state actors specifically targeting Prime Minister Lee Hsien Loonging in hopes of finding embarrassing health information just as Singapore becomes the annual chair of the Association of Southeast Asian Nations (ASEAN).
But that’s little consolation to patients who are likely to become identity theft victims as their personal information is eventually used to take over or create new bank, retail, healthcare and other accounts, apply for fraudulent loans, make illegal purchases and more.
It’s also a serious wake-up call to governments throughout the region hoping to deliver high-quality digital services to their citizens without falling victim to fraud.
As well as data breaches such as this fueling downstream fraud, cybercriminals use other tactics such as social engineering. In a recent survey, 60% of security leaders across industries said their organizations may have fallen prey to social engineering within just the past 12 months. A full 94% say tactics such as watering hole attacks and spear phishing represent significant threats to organizations of all kinds.
Making matters worse: Cybercriminals are increasingly adopting new artificial intelligence (AI) technologies capable of automating social engineering. In fact, AI bots can now even conduct frighteningly convincing voice-based robocalls to make it easier and faster than ever to pry information from a larger number of unsuspecting consumers and corporate employees.
A National Threat
Public sector organizations everywhere are embracing digital transformation initiatives to make services more efficient and easier to access for citizens and other constituents. Of course, that also makes them targets for cybercriminals, espionage groups and others in the process.
In the U.S., the use of synthetic identities leveraging stolen Social Security Numbers (SSNs) is rampant, leading to at least $6 billion in losses per year.
And on the international stage, North Korean-backed hacker group Lazarus is believed to be behind last year’s WannaCry ransomware attack, which crippled hospitals, financial services and critical infrastructure in 150 countries.
As a result, cybercriminals and other malicious actors routinely use identity information like the kind stolen in the recent healthcare agency heist to apply for fraudulent visas, divert loan proceeds, steal retirement benefits, falsify regulatory data, intercept sensitive data and more. In fact, 80 percent of successful cyberattacks on public sector organizations involve stolen identity credentials.
APAC at the Epicenter
With that in mind, look for the filched identity credentials from breaches happening across the Asia-Pacific region to be leveraged in myriad new fraud attacks in coming months—if they aren’t already. But fair warning: They’re likely just a drop in much larger bucket.
Indeed, Asia-Pacific has seen tremendous growth in digital adoption rates—especially mobile. Not only is the mobile channel the primary driver of digital banking services for middle- and upper-classes, but also a key enabler for the region’s financial inclusion in growth and emerging economies. But it has come at a price.
According to the Q2 2018 Cybercrime Report from ThreatMetrix, Singapore, Hong Kong and Australia rank as three of the top 5 most targeted countries for cybercriminals. Worldwide, there were 150 million cyberattacks in the first half of the year, including a 157% increase in China, and a 59% increase in Southeast Asia, year-on-year.
In fact, China has the highest cyberattack rate of any region—at 20.9%—and is experiencing a dramatic increase in home-grown bot attacks. The fuel for all this fire? Identity spoofing—which factors as an attack vector at a rate that rivals all other regions but Africa.
Needed: A New Approach to Identity
For public sector organizations seeking to serve constituents via digital channels, the challenge will be in finding ways to layer new approaches of identity verification and assessment atop those currently in place.
After all, the push to digitize new online services—bill payment and collection, managing healthcare and retirement benefits, making loans, awarding government contracts and more—are mission-critical to modern public sector operations.
As a result, it’s likely that a growing number of organizations will augment these systems with a modern, digital identity-based decisioning approach that leverages machine learning and behavioral analytics to assess each user, their devices, locations, credentials and online behaviors in real time to protect those users in this post-breach era.
The key will be finding solutions with the analytical firepower and access to shared global threat intelligence with the scale and accuracy needed to instantly recognize legitimate users accessing government services, while blocking malicious actors—without causing friction for legitimate users.
Whatever path public sector organizations take, a few things seem certain. One is that we now live in a world where you have to assume a fraudster is behind the screen in every transaction. The other is that dynamic, digital identity data may be the key to winning the battle to deliver fast, frictionless services—without sacrificing security.
To learn more about how government organizations can boost cybersecurity and fight online fraud with a digital identity-based approach to user verification and assessment, download this case study