Protecting personal data: What your organisation should know
They’re lurking! They smell like trouble. Is your organisation ready when bad actors attack?
Personal data has been considered a digital gold in today’s time, but its value comes at the expense of organisations being victims of never-ending cyberattacks. In its similar fate, the owners of those personal data are affected because their personal data is being sold to black markets, risking their privacy and finances.
With the risk accompanied in handling personal data, an essential component in providing services to individuals, the PDPA was set in place to ensure that it will not be taken lightly. It provides rules and regulations that organisations must mandatorily follow or else risk facing hefty financial penalties ranging up to S$1,000,000.
Organisations should see to it that their servers housing personal data are impenetrable to bad actors. They must see to it that they have securities set in place and policies so that there will be no instances of malicious actors taking advantage of weak cybersecurity.
Certainly, it is not only a financial penalty that the organisation will deal with in case of a breach. They could also face backlash from customers and potential future clients and could no longer trust their personal data from them. This is understandable become, in doing so, they could be risking their most confidential information from bad actors who could go after them.
Just like in the case of MyDeal, 2.2 Million users are now at risk of phishing attacks after it was breached, as bad actors are now selling for $600.
MyDeal data breach impacts 2.2M users.
The MyDeal division of Woolworths has said that a hacker stole the information of 2.2 million customers and tried to sell it on a hacker forum. MyDeal is an online marketplace in Australia that connects people who shop online with local stores.
On October 14, 2022, MyDeal announced that it had been hacked after a bad actor used stolen user credentials to get into the company’s Customer Relationship Management (CRM) system. This gave the threat actor access to customer information and let them view and export it.
The company says that the data breach affected 2.2 million customers, whose names, email addresses, phone numbers, shipping addresses, and in some cases, birth dates, were exposed in the attack.
In the breach, only the email addresses of 1.2 million customers were found to be public. Luckily, no account passwords, payment information, or government IDs were shown.
The bad actor begins to sell the breached MyDeal data.
On October 16, 2022, the hacker who stole the information from MyDeal started selling it on a hacking forum for $600. The hacker says that there are currently 1 million entries in the data but that the number of customers who are at risk will grow as they finish going through the database.
MyDeal has already started sending emails to customers who have been affected by a data breach. The company says that customers who do not receive an email were not affected. As proof of their attack, the threat actor released screenshots of what they say are the company’s Confluence server and a single-sign-on prompt for the company’s AWS account.
The threat actor put out samples of the stolen data, which included the personal information of 286 people who supposedly used MyDeal. MyDeal said that no passwords were leaked during the attack, but it is still a good idea to change your passwords just to be safe.
Since it is common for threat actors to buy stolen data to use in their own attacks, all MyDeal customers should also be on the lookout for targeted phishing attacks.
Luckily, there are data protection technologies and practices that organisations can follow to protect the personal data they are collecting, using, and disclosing.
12 Data protection technologies and practices to protect your data
When it comes to protecting your data, you have a lot of options for how to store and handle it. You can use solutions to limit access, keep track of activity, and deal with threats. Here are some of the most common techniques and tools:
1. Data discovery
This is the first step in protecting data, and it means finding out what data sets are in the organisation, which ones are business-critical, and which ones have sensitive information that might be subject to compliance regulations.
2. Data loss prevention (DLP)
It is a set of strategies and tools you can use to keep data from being stolen, lost, or deleted by accident. Data loss prevention solutions often come with more than one tool to protect against data loss and get it back if it does happen.
3. Storage with built-in data protection
Modern storage equipment has disc clustering and redundancy built in. For example, Cloudian’s Hyperstore has a durability of up to 14 nines that lets you store large amounts of data and allows quick access with a low RTO/RPO.
Make copies of data and store them separately, so you can get the original data back if you lose it or change it. When original data is lost, destroyed, or damaged, either by accident or on purpose, backups are one of the most important things to do to keep the business running. Find out more in our guide to how to get data.
A snapshot is like a backup, but it is a complete image of a system that is being protected, including all of its data and system files. With a snapshot, you can bring a whole system back to a certain point in time.
It is a way to copy data from a secure system to another place on a regular basis. This gives you a copy of the data that is always up-to-date and can be used for both recovery and a quick switch toward the copy if the main system goes down.
Firewalls are programs that let you keep an eye on and filter network traffic. Firewalls can be used to make sure that only people who are allowed to can access or send data.
8. Authentication and authorization
These controls help you check a user’s credentials and ensure they have the right privileges. Most of the time, these measures are used as part of an identity and access management (IAM) solution, along with role-based access controls (RBAC).
This changes the information in a file based on an algorithm that can only be undone with the right encryption key. Encryption makes it impossible for people who shouldn’t be able to read your data to do so, even if your data is stolen. Read the guide to data encryption to find out more.
10. Endpoint protection
Endpoint protection protects your network’s entry points, such as ports, routers, and devices that are connected to your network. Most endpoint protection software lets you keep an eye on your network’s edge and filter traffic as needed.
11. Data erasure
Getting rid of data that is no longer needed to limit liability. This can be done after the data has been processed and analysed, or it can be done on a regular basis when the data is no longer useful. Many compliance rules, like in PDPA, say that you have to delete data that is no longer needed.
12. Disaster recovery
It is a set of practises and technologies that determine how an organisation handles a disaster, such as a cyber attack, a natural disaster, or a large-scale equipment failure. Setting up a remote disaster recovery site with copies of protected systems and switching to those systems in case of a disaster is usually part of the disaster recovery process.
A DPO can help
An outsourced Data Protection Officer (DPO) oversees data protection responsibilities and ensures that organizations comply with the Personal Data Protection Act (PDPA). Furthermore, every Organization’s DPO should be able to curb any instances of data breaches as it is the officer responsible for maintaining the positive posture of an organization’s cybersecurity.
DPOs complement the efforts of Organizations in making sure that the organisation’s email environment is safe from any threat actor who wanted to infiltrate its servers and system in general. It also ensures that policies are set in place, and employees are well aware of the danger that email impersonation brings.