Saturday, September 20, 2014

Re: K box customer personal data leak a wake up call for businesses

More than 300, 000 members of karaoke bar chain K Box leaked and made public due to hacking of K Box (or "inside job"). Regardless of how it got leaked, the weaknesses of K Box to protect customers' personal data is against Personal Data Protection Act (enforced on July 2, 2014), and is liable to be punished with a fine of up to SGD 1 million. The official website of K box is down for Personal Data Commission investigation.
The hackers collectively called The Unknown posted personal data, such as name, contact numbers, email addresses, NRIC numbers, dates of birth and marital status of innocent people. This act allowed unscrupulous people with ill-intent to manipulate/misuse such data to commit fraud, intimidation, threat and others on these victims (e.g. as experienced blogger Alfred Siew with a "loan shark" reported in Straits Times, Home B8, Sept 20, 2014).
The Unknown, if indeed an activist group, failed miserably in their effort to draw public support (akin to shooting at your own foot). They failed in their effort when they hit the wrong cord and stoked peoples' anger towards them, especially when they purposely exposed innocent people to vulnerability to malicious attacks (by anyone who can get hold of the "free-for-all" data, especially extortionists/frausters). If they wanted monetary gain, they again failed to "bargain" with K Box. Note that K Box is liable to a fine of up to SGD 1 million under Data Protection Act, and not to mention that this episode has tarnished its reputation. Also, why punish hundreds of thousands of innocent people, which The Unknown can't gain zilch, when the party deserving punishment is K Box for the lax in their server security?
Finally, I do believe that no hacker is really invisible in the internet nowadays (or soon anyway), especially when there is international cooperation (to combat/counter terrorism) that see participation from numerous countries (which will also cast wider net on combating hacking activities). This cooperation will soon be a death knell for malicious hackers, unless if they work (via zombies, bots, or the likes) in countries not supporting such international collaboration (or if they are Edward Snowden given special protection by the country). With cooperation and cross-border extradition agreement, it is easy to bring hackers (from different nationals to any country where they committed their crimes).
For those wanting to know why it's not possible to arrest "Anonymous" group, the answer can be referred in this exchange (from Stackexchange). Briefly, it's very possible to arrest any members of Anonymous group (who can be anyone with any misdeed, especially those with malicious/criminal deeds). But to arrest all members of Anonymous group would be improper as it would be akin to arrest all employees of Enron (which is illogical) considering that only a few of Enron members/bosses are guilty of crime/fraud (Enron Scandal). That is why, it's uncalled for for the arrest Anonymous group (a collection of people).
Anyone interested to read about how hackers are able to attack and how they cover their tracks (in order to be invisible), there is one article which is enlightening (from Scientific American). There is ongoing effort to try to minimize and penalize malicious hackers (via international collaboration and the establishment of a "trace-back" system to catch bad hackers). Furthermore, if national security is breached, Singapore with its internet service providers (ISPs) can at any time blacklist and block IP addresses originating from certain countries (which is neither a member nor supportive of international collaboration against cyber crimes or terrorism), and thus prevent hackers from using bots/zombie machines from these countries to attack Singapore. However, it is still dependent on the extensiveness of the bot network and compromised computers, with huge network being unfavorable to law enforcers (I don't think hackers will want to share their network just to see it being shut down by "misuse"). See DNS-based Blackhole List (DNSBL) or Real-time Blackhole List (RBL) by Wikipedia.
For now, I'm as excited as anyone to know how the whole episode will unravel. For example, will K Box be fined for negligence and being incompliant to the Data Protection Act and how much is the fine? Will the culprits who hacked and leaked personal data of innocent Singaporeans be caught and brought to justice, similar to the fate of James Raj Arokiasamy? How will the other businesses in Singapore react to this episode? I guess a huge fine for K Box will serve as deterrent and wake up call for other businesses to enhance their securities (which will be good news to many customers).
Just a thought.

No comments:

Post a Comment