Image: Airloom
Businesses that handle customer data should be expected to do so with all the appropriate cybersecurity systems and polices in place, rather than provide these as a "value-add service", and it's time the Singapore government holds those that fail to do so accountable.
If recent events involving consumers' personal details are anything to go by, they should signal an urgent need for the Singapore government to get tougher on businesses that fail to take security seriously and exhibit gross callousness in the way they manage customer data.Far too often, careless oversights and bad business practices are the source of lapses in cybersecurity incidents, and it is time organisations are held accountable or consumers will, unfairly, remain on the losing end each time something goes awry.
Take the recent data breach involving Singapore Airlines (SIA), for instance, where a frequent flyer member was able to view someone else's personal data after logging into her Krisflyer account with her user ID and password. These details included the other member's upcoming trip, such as the destination and departure date, as well as his recent transactions, which included the number of miles he had converted using points from his credit card and a recent trip he took to Tokyo.
SIA attributed the data breach to "a one-off software bug" that occurred when changes were made to the airline's website, affecting 285 Krisflyer members whose personal data including passport and flight details were compromised. In addition, almost 10 hours had passed before the glitch was fixed.
Commenting on the incident, Synopsys' managing principal of software integrity group Nabil Hannan said software bugs such as these were "very common", especially in applications where the authentication and authorisation structures were not well designed.
"When building the application, it is most likely there were some basic flaws in the design of how authentication is performed to determine who can access what data," Hannan explained. He noted that these could lead to circumstances in which "simple changes" made in the software could cause undesired results and "horizontal privilege escalation", where one customer could be shown another customer's private data.
He added that such errors could be easily avoided if security checkpoints were established across the application's development lifecycle. These could include having proper security measures on how data should be protected and authenticated and performing regular security assessments, such as security code review and penetration tests to identify potential vulnerabilities.
Beyond that, I would expect organisations to also have "checkpoints" in place to handle the aftermath of a security breach or incident. Following the discovery of the software glitch, Singapore Airlines did not update its security page or post an alert on its homepage to notify customers on what they would need to do if they were amongst those affected.
The airline also did not dispatch an update or instructions to its call centre agents so they could better handle customer queries related to the security incident. Instead, one customer agent told ZDNet, quite inaccurately as it turned out, that there had been no reports of any security issues.
The ability to react and respond quickly is especially critical in instances where there is an actual security breach, such as the one involving SingHealth, where the personal data of 1.5 million patients were compromised. Investigation later revealed several lapses, in particular, tardiness in raising the alarm--staff took almost a month before notifying senior executives about the breach.
Security can't be a value-add service
Above all, I believe the crux of the problem is that there still are organisations that treat security as an afterthought or, worse, a value-add service they provide for customers.A while back, I walked into a branch of a local bank to find out why I was not receiving SMS notifications when I made PayNow transfers, as I assumed was a requirement. The interbank funds transfer service is part of the Singapore government's efforts to drive cashless adoption in the country.
When I told a customer service staff at the bank that my friends would receive such SMS alerts when they made PayNow transactions with their bank, he replied that enabling SMS notifications was not mandatory and that the competing banks had provided it as "a value-add service".
It baffled me that a basic security feature for a payment service could be considered a bonus feature for consumers and that a bank representative would feel so smug about not offering it to its customers.
As it turned out, I was later informed that a software bug--where have I heard that before--actually was the cause of the missing SMS alerts and had just been fixed when I approached the bank.
It should worry consumers that organisations continue to regard security as "best effort only", especially as these businesses increasingly demand more of our personal data in exchange for services--including essential services such as banking and healthcare.
Despite the frequent reports of security breaches and growing calls for companies to adopt stronger cybersecurity measures, businesses remain recalcitrant and callous with their customers' private data and, as we have seen, sorely lacking in their own security policies and deployment. Google, Twitter, and Facebook, are just a handful that disclosed critical security loopholes in the past year.
One of the surest ways to force businesses to take heed is to ensure their management and leadership teams are held responsible for any security lapse. Financial penalties, for instance, should be paid out from the paychecks of these executives. This would compel business leaders to get involved in their company's security strategy and ensure the necessary resources are allocated to support such initiatives.
WhiteHat Security's vice president of corporate strategy Setu Kulkarni said the SIA data breach should serve as a wakeup call for the industry. "For all intents and purposes, today's airlines are tech companies and they need to implement security as such," Kulkarni said. "Airlines need to model their security endeavours around the hundreds of thousands of customers who trust them to protect the private information they are required to share in order to fly."
In fact, he noted, every company that handles sensitive data--not just airlines--needs to make security "a consistent, top-of-mind concern" and regard all IT systems as vulnerable assets that must be secured. Kulkarni said: "This means protecting all potential points of entry, including APIs, network connections, mobile apps, websites, and databases."
It has always frustrated me to see businesses demanding more and more of my personal data, but not doing equally as much to demonstrate how they are keeping it safe and ensuring they have the systems and checks in place to secure it.
If companies still aren't motivated to do so amidst growing security threats, then it's time the government puts more pressure so these businesses get the push they need to operate appropriately.
The report on the SingHealth breach is due to be published later this week and I hope it includes recommendations for some paychecks to be docked.
Source: ZDNet Downloaded: 20190109
0 Comments