We have two data breaches this week.
Mass Email at Geneco#
Our first unfortunate organisation in Singapore is Geneco, an electricity retailer. This data breach features the classic employee error exposing personal details of 350 customers. The PDPC even wrote a guide on it. in 2017. Mass emailing everyone’s details is a clear breach with several precedents, and I am quite sure there is a fine there waiting.
How would I prevent it? Teaching employees how to BCC or CC is probably not going to be effective. I feel that those who know how to BCC will do it, but those who don’t know wouldn’t think or try it. I would have focused more on being careful in handling personal data. Culture takes time but is probably more effective long term. With so much attention paid to data breaches, I do think we are getting there soon.
An Inside Job?#
Our second unfortunate organisation is bigger news… Sephora appeared to have exposed the personal data of several customers in the region and the data has appeared on the dark web. There is no information on how the data breach happened. I speculate that since there was no password or credit card information in it, this is an inside job. This is also supported by the conclusion that “there was no major vulnerability found on Sephora’s Southeast Asia websites and found no trace of a cyberattack“.
Inside jobs may be much harder to defend against.
“Organisations also need to consider that potential malicious insider threats may exist,” Mr Hannan said. “For example, when looking at where the database was breached, it’s important to understand the threat model of the system, and determine things like who had access to the database and if they really needed to have access.”
Organisations are owning up#
Note that the organisations reported the data breach to regulators themselves. They may be motivated by the possibility of less penalties. However the ability to control the narrative is also important. In Sephora’s case, the extent of the breach was overshadowed by the information provided by the organisation. It could be 3.7 million accounts!
This is a great development to me. It shows that organisations are getting good advice and following them. It is a great time to be a data privacy professional!
Would you have prevented this kind of data breaches in the same way? Feel free to comment!