by Bharat Mistry
It’s been a busy time for data breaches. First in late March the database of the Philippine Commission on Elections (COMELEC) was ransacked in what could be the biggest government breach in history. And then just days later, Panamanian law firm Mossack Fonseca was attacked and 11.5 million documents leaked to the press detailing the shadowy offshore tax arrangements of many current and former world leaders.
The repercussions of these two incidents will be felt for months or even years to come. If ever there was a fortnight to remind CISOs of the value of best practice data protection, it was the one just gone.
Bad day at the office
Despite COMELEC statements to the contrary, Trend Micro research shows that Personally Identifiable Information (PII) on up to 55 million Philippine residents – all the registered voters of the Asian nation – may have been exposed. These include 1.3 million records of overseas Filipino voters, which include passport numbers and expiry dates. And 15.8 million record of fingerprints.
There’s a very real chance the election commission could be sued under local laws for failing to “implement reasonable and appropriate measures to protect personal information against…unlawful access.” Civil suits like this are increasingly common following a major data breach and can add significantly to the already prohibitive costs of remediation and clean-up of breached systems – and in the case of private enterprises, a share price slump and brand/reputation damage.
When it comes to Mossack Fonseca, it’s hard to see how the law firm can regain the trust of its exclusive list of clientele, as more details emerge of just how poorly prepared it was to defend against a cyber attack. According to a Wired analysis, the firm has failed to update its Outlook Web Access login since 2009 and not updated its client login portal since 2013. This means the latter – which runs on the open source Drupal CMS – is vulnerable to 25 bugs including a major SQLi flaw which could allow hackers to remotely access key systems.
Considering the highly sensitive information on world leaders and others contained on the firm’s servers, it’s incredible to think what an apparently poor handle it had on security. Law firms in particular are an increasingly popular target for cybercriminals for exactly this reason: they tend to handle extremely sensitive – and therefore potentially lucrative – information on behalf of their clients, but often don’t have the same strict security policies in place.
At this point in time it’s still not clear exactly how hackers managed to get at the treasure trove of data so poorly secured by COMELEC and Mossack Fonseca respectively. But there are some basic security best practices we can already point to which could help to make systems more robust from such threats. They include:
- Data classification, and segregation based on its sensitivity
- Patching: keep all systems up-to-date to remove ‘lowest hanging fruit’
- Regular security audits and pen testing of systems
- User education to help staff spot suspicious emails/social media links etc
- Restriction of access controls and use of 2FA for privileged users
- Breach contingency plans to help minimise data loss in event of a successful attack
- Appointment of dedicated data protection officer to oversee the above