Advisories

MA-746.092019: MyCERT Advisory - Security Best Practices on Data Breach Incident
  •   27 Sep 2019
  •   Advisory
  •   Data Breach

1.0 Introduction

Data breaches refers to an incident where confidential information is leaked or stolen from a system without the knowledge or authorization of the system’s owner. Data breaches often lead to financial losses and a loss of consumer trust for the organisation. In addition, individuals whose personal data have been compromised could be at risk of harm or adverse impact if they do not take steps to protect themselves. For example, hackers can dump the compromise data to underground forum and put it for sale. Figure 1 show the list of compromise databases available for sale and Figure 2 depicted the sample of information available for sale.

Figure 1: List of compromise databases up for sale.

Figure 2: Example of compromise information available on the dark web.

MyCERT also received many cases related to data breach incident for the past 3 years. Figure 3 show the statistic of data breaches incident in Malaysia reported to MyCERT from year 2012-2019. The statistics illustrate gradual decrease of data breach attack between 2012 and 2016, and significant increase in 2017 until 2019.

Figure 3: The statistic of data breaches in Malaysia from year 2012-2019.

Hence it is important for organisations to be accountable towards individuals by preventing and managing data breaches.

2.0 Impact

The impact of a data breach depends on the nature and extent of the breach and the type of information that has been compromised. Some breaches may involve only one or two people while others may affect hundreds or thousands. Larger breaches expose a wider group of people and could require considerable notification and remediation activities.

Serious impacts of a data breach could include:

  • Risk to individuals’ safety
  • Financial loss to an individual or organisation
  • Damage to personal reputation or position
  • Loss of public trust in an Agency or the services it provides
  • Commercial risk through disclosure of commercially sensitive information to third parties
  • Threat to an Agency’s systems, impacting the capacity to provide services
  • Impact on Government reputation, finances, interests or operation.
  • Loss of data integrity.

3.0 Recommendations and guidelines

Protection of sensitive data is required not only for legal or ethical reasons but for issues related to personal privacy, as well as for safeguarding the reputation of the business. Sensitive data includes personally identifiable information (PII) such as names, credit card numbers, email addresses or phone numbers of customers and employees, as well as intellectual property and trade secrets, industry-specific data and information related to operations and inventory. Hence it is important for organisations to be accountable towards individuals by preventing and managing data breaches. This guideline divides into two section which is the preparation before data breaches happen and how to respond after data breaches happen.

Preparation before data breaches

Data breaches can occur due to various reasons, such as malicious activity, human error or computer system error. It is important for organisations to put in place measures which allow them to  monitor  and  take preventive measure before data breaches occur.

Provide Training on Security Awareness - Employees have an important role in keeping their organizations secure; however, without security awareness and effective training, they can be the weak link in the data security chain and present a major vulnerability.

Good security hygiene - With the emergence of cloud storage tools, IoT devices, and BYOD trends, it is easier than ever to put sensitive data at risk. So, system administrator needs to properly configure databases and cloud repositories to avoid targeted attack by hacking group.

Invest in the Right Security Technology - While it is important to have traditional perimeter and network security like firewalls, intrusion detection, and antivirus systems, businesses should consider using encryption standards and a backup policy to reduce risks.

Patched regularly - Ensuring software is updated and patched regularly is crucial in minimizing network vulnerabilities.

Comply with Data Protection Regulations - The best way to ensure compliance is by creating a data security policy that keeps data safe from risks both inside and outside of the company.

Perform regular vulnerability assessments - Vulnerability assessment is the process intended to identify, classify and prioritize security threats as well as determine the risks they pose to organizations. Regular security audits reveal a clear picture of data and act as a checklist to work towards data protection.

Ensure the principle of least privilege – With the purpose to restrict access to sensitive information to a need to know basis.

Develop a Data Breach Management Plan - Although many companies haven’t developed a breach response plan yet, such a framework has an important role in dealing better with cybersecurity incidents, as well as limiting damages and restoring public and employee trust. A data breach management plan should set out the following;

  • A clear explanation of what constitutes a data breach to assist employees in identifying a data breach and respond promptly should one occur.
  • How to report a data breach internally – The role of each employee is important in reporting data breaches. When an employee becomes aware of a potential or real data breach, he or she should know how and who to report the data breach to within the organisation.
  • How to respond to a data breach – The strategy for containing, assessing and managing data breaches would include roles and responsibilities of the employees and data breach management team. Organisations can also consider preparing contingency plans for possible data breach scenarios and measures to be taken or run regular breach simulation exercises to better prepare themselves for responding to data breaches in a prompt and effective manner.
  • Responsibilities of the data breach management team– The composition and the roles and responsibilities of each member of the management team should be clear. This will ensure that the organisation’s response to the data breach will not be unnecessarily delayed.

Responding to Data Breaches

Every data breaches incident requires a quick respond from the organization to prevent further damage to their organization. Early response will be crucial in managing the incident effectively. Generally, the actions taken after a data breach should follow four key steps:

  1. Containing the data breach to prevent further compromise of personal data.
  2. Assessing the data breach by gathering the facts and evaluating the risks, including the harm to affected individuals. Where assessed to be necessary, continuing efforts should be made to prevent further harm even as the organisation proceeds to implement full remedial action
  3. Lodge a Police report and reporting to Jabatan Perlindungan Data Peribadi (JPDP) for their further investigation.
  4. Evaluating the organisation’s response to the data breach incident and consider the actions which can be taken to prevent future data breaches. Remediation efforts may continue to take place at this stage

Generally, MyCERT advises the users of the devices and software to be updated with the latest security announcements by the vendor and follow best practice security policies to determine which updates should be applied.

For further enquiries, please contact MyCERT through the following channels:

E-mail: cyber999[at]cybersecurity.my
Phone: 1-300-88-2999 (monitored during business hours)
Fax: +603 - 8008 7000 (Office Hours)
Mobile: +60 19 2665850 (24x7 call incident reporting)
SMS: CYBER999 REPORT EMAIL COMPLAINT to 15888
Business Hours: Mon - Fri 09:00 -18:00 MYT
Web: https://www.mycert.org.my
Twitter: https://twitter.com/mycert
Facebook: https://www.facebook.com/mycert.org.my

4.0    References

Popular Advisories
Archives