In an era of online transactions, we’re handing out more and more of our personal data to companies; we’re going cashless, shopping transactions are done on our laptops or phones, and we store most of our photos online.
Considering the dependency we have on the web, we’re placing a lot of trust on companies to keep our information safe. After all, we are moving towards a time of technological advancement, so we expect security to keep up.
On the contrary, this year is the year we feel like our confidence in the companies has been especially misplaced, with news of major data breaches coming out one after another.
It wasn’t just on the international front—we were hit with news of local breaches too.
To be clear, not all these breaches happened in 2017, but the news only came to light this year. So here are the big names of 2017 who really messed up when it came to our data, arranged according to when the news was released.
1. September 2017, Equifax: Up to 145.5 million people affected
Equifax is one of the largest consumer credit reporting agencies for Americans. On September 7 2017, they announced that they have had unauthorised data access from May to July. The breach was only discovered on July 29, and Social Security numbers, credit card numbers of consumers and documents with personal information were exposed.
How did they handle it?
The hackers took advantage of a security vulnerability. That flaw was supposedly discovered two months after an industry group shared a fix for it, raising concerns on why Equifax didn’t update their software when the danger was known.
On September 26 2017, the media reported that Equifax’s CEO, Richard Smith, had stepped down.
What was the action taken?
Equifax released a press release detailing the data breach’s facts which included:
- A U.S website application’s vulnerability was exploited by cyber criminals to gain access.
- There is currently no evidence of unauthorised activity on commercial credit reporting databases.
- The company is conducting an assessment and providing recommendations on the next step to take.
They are also redirecting consumers who many have been affected to a website to confirm if they have been targeted in the breach.
Customer Satisfaction
To check if your data has been compromised, Equifax requires consumers to sign up with their own credit product, TrustedID. However, there were complaints that the website wasn’t working properly and wasn’t telling consumers if their data had been in the breach.
Do I feel safe with them?
As I do not use any product or service that Equifax provides, I’m in no position to define my loyalty to them. However, I would be less trusting of any credit reporting agency’s marketing attempts in the future and will think twice before purchasing anything they’re trying to sell.
2. October 2017, Malaysian Telcos: 46.2 million users affected
Named the biggest mobile data breach, Lowyat.net broke the news highlighting the local telcos that were affected by the breach; DiGi Prepaid had the biggest leak (11,411,815), followed by Celcom Prepaid (10,548,183) and Maxis/Hotlink (9,562,019).
What was the action taken?
The leak is estimated to have happened some time in 2014. So far, MCMC has already arranged for a meeting with all the telcos to understand the situation and discuss their next course of action. Investigations are currently undergoing and are reported to be almost complete. A month later, we have yet to receive any updates on the situation.
Customer Satisfaction:
Several users have been calling to sue under the PDPA (Personal Data Protection Act). However, because it was a breach and not an intentional leak, suing is not possible.
Most customers have complained of an increased number of telemarketers and spam emails, blaming the breach. They are also unhappy with how the telcos have managed their data and have demanded for compensation.
Do I feel safe with them?
Before this breach happened, I was admittedly unaware of such scenarios happening. Now, I am more careful with how and where I give out my personal information. This incident has caused me to question if my data is safe with anyone.
3. November 2017, Jobstreet: 17 millions users affected
Jobstreet was another target of the breach—17 million rows of user information was leaked from names, ICs, phone numbers, and email addresses.
How did they handle the breach?
They were the first company to reach out in a statement to inform users of the leak and the current status of their own investigations.
What was the action taken?
Chief Executive Suresh Thiru sent an email to all users admitting the breach was real and confirming that the data breach only involved accounts that were created before July 2012, therefore those created after were safe. However, they strongly advised users to not give out personal information more than necessary and refresh passwords if possible.
Customer Satisfaction:
Again, Malaysians complained about having their data compromised, but there were a few that gave kudos to Jobstreet for actually stepping up and doing their job—taking real steps to handle the situation. However, we still have yet to receive any update on investigations being launched by MCMC or Jobstreet.
Do I feel safe with them?
I may trust Jobstreet a little more than the telcos to keep me updated on the ongoing investigations of the breach, but that’s about it.
4. November 2017, CIMB: Unknown number affected
Early last month, CIMB’s magnetic tapes containing backup customer data was lost during a routine operation. It was reported that the data was not compromised in any way.
How did they handle it?
CIMB was quick to affirm that the necessary precautions and measures had been taken to ensure no negative impact would result from the loss of the tapes. They issued a statement on the very same day to the public and are working with the relevant authorities to take countermeasures.
What was the action taken?
The bank was true to its word to be quick to action—they immediately heightened security measures across all their channels, temporarily suspending call center services. They also informed Bank Negara of the incident and agreed to have a third party to investigate the root cause of the issue.
Customer Satisfaction:
Many complained about the negligence of their actions, as initial investigations found it was due to a lack of precaution on their part, ruling out sabotage as a cause.
Do I feel safe with them?
Although they did take take measures to inform the public and increase security around the edges, we still don’t know for sure what the lost data contains—they claim it’s only backup customer records, but how do we really know?
5. November 2017, Uber: 57 million users and drivers affected
A big name in the car-sharing business, Uber was under fire for trying to hide a massive breach that exposed 57 million users’ data in their database a year ago. Names, email addresses, phone numbers, and drivers licenses of 600,000 drivers in the United States were revealed to the hackers.
How did they handle it?
The hack happened in October 2016, but Uber failed to disclose it until their new chief executive, Dara Khosrowshahi revealed it in a statement on their website.
What was the action taken?
The company tried to cover this up by paying the hackers US$100,000 (around RM408,000) to keep the information off the dark side of the web and getting them to delete the data they stole.
They also declined to say what other companies were involved in the breach. After the breach was exposed, Uber fired its chief security officer, Joe Sullivan, and a deputy, Craig Clark, over their role in the incident.
As part of their ongoing actions, among other things, Dara shared that they are providing the drivers with free credit monitoring and identity theft protection.
Customer Satisfaction:
Users were pretty miffed at having this breach hidden from them. Many mentioned that they preferred to know if their data had been compromised.
Do I feel safe with them?
While many condemned Uber for hiding such huge news, I felt that they did do their portion by paying the hackers to delete the data they stole—ethical considerations aside, at least they didn’t just let it float out there in the open. But I will think a little before trusting Uber with any new data I have.
6. December 2017, oBike: Unknown number affected
Singaporean bike-sharing platform oBike was also hit by a data breach storm early this month.
A German report revealed that mobile phone numbers, email addresses and location data were exposed on the app. The German journalists also discovered that oBike had no protection whatsoever for the users data; when they shared invitation codes and shared completed rides on their social media accounts, their data was openly exposed for at least two weeks.
How did they handle it?
oBike’s app vulnerabilities were flagged several times by security experts from Taiwan in early June, but no action was taken then. The journalists also discovered that German users were not the only ones affected, as they were able to see names, phone numbers, profile pictures and movement profiles of users from Great Britain, Singapore, Malaysia or Switzerland.
What was the action taken?
A representative from oBike informed CNET that the security loop was the result of a gap in its application programming interface (API) and they have since removed flaw. They also released a statement confirming the security gaps were closed and promised the users that they would act quickly to fix any safety gaps and protect user data.
Customer Satisfaction
As this news is still new, only reported end of November, many people are still processing the news.
Do I feel safe with them?
I won’t trust oBike with my information. Not only did they ignore multiple requests to fix the security flaws in their app, they openly violated the Data Protection Act by not meeting the security requirements.
BONUS: And presenting to you the MVP and of all data breaches: Yahoo!
Yahoo data breach fall only keeps getting worse; first from August 2013, where 1 billion accounts were targeted in the attack. In an unrelated event, they were targeted again in late 2014, this time with over 500 million accounts stolen.
But as the epic conclusion to this, in October 2017, parent company Verizon revealed that the number of breached accounts from the 2013 hack was actually 3 billion, after receiving new information and investigating the updates.
Three billion accounts hacked—including email, Tumblr, Fantasy, and Flickr. This means that anyone who registered across Yahoo Mail and other Yahoo-owned properties at the time is affected.
Yahoo has since urged users to change their passwords and reset new security questions to review their account for any suspicious activity.
To date they still have not caught the culprit behind one of what may be the “largest breach in history”, if what Verizon Communications have provided is accurate.
So how can someone protect themselves if their data has been compromised?
- Change your password and security questions. Not just on your Yahoo account, but any other accounts you have that use similar information. It’s also better to use different passwords for each account. There are password management apps that you can use, or compile them in an Excel document and encrypt it offline so no one else can access it. Some people are even recommending the old method of writing them down and keeping them locked up and safe.
- Review all of your accounts regularly and look for suspicious activity. Enable two-factor authentication on your accounts.
- Think twice before responding to unsolicited communications that ask for personal information or refer you to a webpage that asks for personal info.
- Don’t click on links or download attachments from suspicious e-mails.
- Not necessary, but you may want to consider investing in identity theft protection if you feel at risk.
We’re living in an age that puts us at risk of data breach every growing minute. With everything moving online, it’s important to stay aware on the risks of online theft and know how to protect ourselves against it to avoid being targeted.
Do you trust that companies are taking the necessary steps to protect our data? Let us know in the comments.
Feature Image Credit: consumer.ftc.gov
