Black Hat Asia 2023 in Singapore and its flurry of activities make for an exciting time of the year. Cybersecurity is nascent among organizations in Asia, with plenty of opportunities to rise above in the race to build digital resilience.
Omdia view
Summary
Black Hat Asia 2023 in Singapore and its flurry of activities made for an exciting time of the year. The greatest minds in cybersecurity converge for a week-long gathering to share emerging trends and the latest solutions, present research findings, and connect with professionals alike in the industry. Data security and overall enterprise cyber resilience took center stage among discussions of large-scale breaches compromising sensitive information around the world. Cybersecurity as an area of concern is observed to be nascent among organizations in Asia, with plenty of opportunities to make headway in the race to build digital resilience.
In May 2023, Omdia analysts entered the arena, guided by the theme of “maximum attention, minimum budget.” This is in reference to security functions in organizations dealing with tight budgets despite the demand for enterprise cybersecurity efficacy. The Omdia Analyst Summit at Black Hat Asia followed this very theme, outlining the balancing act between the need for cybersecurity investment and the demands of the rest of the business. This was against the backdrop of an evolving threat landscape (notably ransomware) and supply chain compromises along with data exposures from high-profile breach incidents and compelling discussions about security consulting services.
On the floor at the event, findings from the Omdia Security Breaches Tracker regarding the increase in malicious activity came to life. This was evidenced by the myriad of solution offerings from cybersecurity vendors, including attack surface management, application security, threat analytics, extended detection and response (XDR) platforms, penetration testing, security orchestration, and response platforms, among many others. The solutions and offerings offer an impressive arsenal of methods to help protect and build resilience in organizations.
The Security Breaches Tracker noted a 45% jump in malicious hacking activity in 2022 from 2021, while phishing grew by 34%. Social engineering methods remain a favorite for threat actors to gain credentials for access or as points of entry to ransomware or supply chain compromises. This highlights the mounting importance for organizations to secure end users and fortify systems against malicious attacks.
Without missing a beat, ransomware wound its way into most conversations at the event—more so now with the push from generative AI platforms to innovate attack methods as well as more ransomware as a service (RaaS) groups and increasingly sophisticated malware cropping up. The tracker observed that ransomware accounted for 17% of the 4,998 breach announcements tracked since 2019, contributing to sizable data exposure.
Data exposure in the millions in Asia and beyond
The scale with which data, especially sensitive or personally identifiable information (PII), is continually being exposed highlights the roles organizations and data handlers play in implementing security controls, managing access, and adhering to the triumvirate of information security: confidentiality, integrity, and availability (CIA).
Omdia’s Security Breaches Tracker shows that data exposure is the leading breach outcome at 66% of 4,998 breach announcements since 2019, followed by system failure (15%) and process failure (8%). This has been the case since 2019, when about two-thirds of security breaches have resulted in data exposure: 68% in 2021, 67% in 2020, and 64% in 2019. For measure, breach incidents have led to the compromise of millions of pieces of PII. Take, for instance, a cyberattack on Australian health insurer Medibank in November 2022 that led to the compromise of 9.7 million customers. Additionally, in the same month, AirAsia was a victim of a ransomware attack by the Daixin Team hacking group, which compromised the data of 5 million passengers and all its employees.
In Malaysia, a series of purported data leaks and breaches paint a picture of the security posture of large companies and government entities. An announcement was made in May 2022 on an alleged information data leak of approximately 22.5 million Malaysians born between 1940 and 2004. The data was said to have been stolen from the National Registration Department (NRD) and sold on the dark web for $10,000. Various reports mentioned that the information was possibly siphoned from the NRD through the API of MyIdentity, a centralized data-sharing platform used by government agencies. However, the Home Minister of Malaysia stated that the personal details did not originate from the NRD. In December 2022, more suspected data leaks popped up, including one that involved almost 13 million accounts from Astro (the country’s satellite television and IPTV provider), the Election Commission of Malaysia, and Maybank. These reports led to Communications and Digital Minister Fahmi Fadzil calling for CyberSecurity Malaysia and the Personal Data Protection Department to launch further investigations. All three organizations claimed that the data leak allegations are false.
In China, another alleged case in July 2022 claimed the compromise of the Shanghai National Police (SHGA) database, which contains “1 billion Chinese national residents and several billion case records, including: name, address, birthplace, national ID number, mobile number, all crime/case details,” by an anonymous hacker, ChinaDan, as announced on Breach Forums. Reuters could not confirm the authenticity of the post, but, arguably, the shock value is clear.
Cybersecurity maturity and concern in Asia & Oceania
These cases are just the tip of the iceberg. The pattern observed among the incidents begs the question: what is the perception of cybersecurity and data protection in Asia & Oceania?
Generally, “a lack of attention” is what Omdia has been hearing about cybersecurity in Asia. The dizzying array of breach notifications has rendered people in this region numb. For instance, citizens classified Indonesia as an “open-source country,” referring to the frustrating regularity with which data breaches and exposures occur. In September 2022, a hacker under the pseudonym “Bjorka” hacked into 1.3 billion Indonesian SIM registrations, exposing mobile phone numbers, national identity numbers, telecommunications providers, and more. In a tweet posted on September 10, Bjorka claimed to have done so to demonstrate how easy it was “to get into various doors due to a terrible data protection policy, primarily if it is managed by the government.” The spillover effects will see citizens facing an onslaught of spam calls, spear phishing, and other social engineering methods leveraged with the exposed data. Indonesia is no stranger to such incidents. In March 2020, a hacker leaked the data of 15 million users obtained from a breach into Tokopedia, the Indonesian e-commerce company, hoping for assistance to crack user passwords to gain account access. Later in October that year, a cybersecurity researcher reported that data of nearly 3 million users of Cermati, a fintech aggregator platform based in Jakarta, was leaked and sold online for $2,200. While Cermati admitted there was unauthorized access to its systems, the company did not confirm that the data was compromised.
The Security Breaches Tracker observed that 14% of the 4,998 announcements since 2019 originated from the Asia & Oceania region, but Omdia asserts that this number is higher. Most security breaches in the region target governments, IT firms, manufacturing, retail, and professional services industries. The top country-level targets include India (20%), Australia (18%), Japan (12%), China (10%), and Singapore (7%), among many others. Despite the focus on these industries, all organizations are at risk, especially as they expand their digital footprint.
Alongside this, Omdia has also observed the actions undertaken by government entities in the region in response to data breaches, because most cyberattacks in the region target government bodies. For instance, Indonesia finally passed its Personal Data Protection (PDP) law on October 17, 2022. Additionally, in Australia, amendments to the country’s privacy law will see an increase in maximum fines for privacy breaches from AUD$2.2m to AUD$50m. These amendments were announced in October 2022, following a series of high-profile breaches in Australia, namely those involving Latitude, Optus, and Medibank.
Malaysia, which is cited to have only seen 20 companies fined for major breaches since 2017 (at fines of RM24,000, or approximately $5,304, on average), has legal experts in the country calling for amendments to Malaysia’s Personal Data Protection Act (PDPA) to hold those accountable. Currently, the PDPA extends coverage only to commercial entities and transactions but exempts federal and state government bodies. The Malaysian government is said to be amending the act; the proposed amendments to the PDPA are expected to be presented in the Parliament of Malaysia, the country’s national legislature, before the end of 2023.
Evidently, alerting governments, organizations, and businesses to the importance of a layered approach to cybersecurity will take significantly more than one or two large compromises. Governance, regulations, and serious fines—beyond merely a slap on the wrist—will help reinforce the responsibility of taking greater care with data management, supported with adequate tools that help complete the proactive approach to cybersecurity.
In Asia & Oceania, most security incidents are due to accidental exposures (19%), ransomware (13%), supply chain attacks (10%), and phishing (7%), apart from general malicious hacking attempts. The recurring breaches affecting PII raise important questions about what organizations in this region are doing to raise defenses and safeguard systems. Among the growing suite of product offerings enabling threat detection, incident response, and continuous monitoring from leading security vendors, what products are organizations looking to invest in? Additionally, how is end-user security awareness promoted and encouraged among enterprises in the region to address one of the major causes of security breaches? These remain opportunities for organizations in this region to focus on and prioritize proactive cybersecurity strategies.
Data minimization, privacy, and inference attacks
Alongside data security, Black Hat Asia raised the concept of data minimization, which is a crucial point in the discourse of collecting only what you need to fulfill a specific purpose. Essentially, data should be retained for as long as necessary to fulfill a purpose.
This principle was echoed by Sheena Jacob (Partner at CMS Holborn Asia) during a customer and partner roundtable at the Analyst Summit led by Adam Etherington (Omdia’s Senior Principal Analyst) and joined by David Lewis (CSO & Executive Security Advisor at Telstra) about “not holding on to more” in the case of collecting data. Under the General Data Protection Regulation (GDPR) in the European Union (EU) and the UK, the concept is included under Article 5, which covers the essential principles of data protection when processing personal data.
The concept aligned with other points of view in the cybersecurity ecosystem, namely application privacy, as observed in one of the briefings during Black Hat Asia. The aptly named “A Run a Day Won't Keep the Hacker Away: Inference Attacks on Endpoint Privacy Zones in Fitness Tracking Social Networks” highlighted research on the privacy of fitness tracking social networks (FTSN) by Ph.D. students Karel Dhondt and Victor Le Pochat from KU Leuven.
More “traditional” breaches often involve hacking into servers or databases. In comparison, inference attacks—a data mining technique where an attacker infers data about a database or its contents from related or known data, without needing to infiltrate into systems—provided an extraordinary view into other potentially dangerous breach methods. In the case of this research by Dhondt and Pochat, the motivations and resulting implications of leveraging the inference attacks include physical harm, stolen expensive sports equipment, and the exposure of specific data (i.e., home address).
The briefing centered on the lack of privacy of FTSN despite enabling privacy features, such as endpoint privacy zones (EPZ) to hide activity within specified areas. Strava, as well as other major networks including Garmin Connect, Komoot, and MapMyRun, offer privacy controls that restrict the amount of shared information. To demonstrate how an unsophisticated attacker could potentially carry this out with publicly available information, the researchers constructed a cyberattack using distance information revealed in activity metadata, street grid data, and the entry point locations into the EPZ and used regression analysis to predict the protected locations. The results showed that of the 1.4 million global activities on Strava, the attacks could reveal the protected locations of up to 85% of EPZ, indicating that only 15% of users who set up EPZs are protected.
One of the first suggestions of mitigation for application developers was data minimization, based on the principle of “you can’t leak what you don’t have.” The researchers urged collecting only necessary data upon development and design of the application. Further recommendations involved taking proactive steps to fix API leaks to prevent data leaks and reduce the possibility of inferences, letting users choose the size of their privacy zone, and using non-circular shaped privacy zones, among others. However, they acknowledged that mitigation would affect user experience. The researchers have since disclosed the vulnerability to Strava and the other apps investigated and are currently in discussion with Strava about potential mitigation.
All in all, Black Hat Asia provided a roundup focusing on cybersecurity trends in Asia & Oceania. While high-profile breach cases make for doom and gloom, there is still hope, because such incidents may serve as wake-up calls for organizations to prioritize security by design and take a more proactive, layered approach to cybersecurity.
Appendix
Further reading
Security Breaches Tracker 1Q19-4Q22 (April 2023)
Cybersecurity: Maximum attention, minimum budget – the carrot and the stick (April 2023)
The “big three” data privacy breaches lead cybersecurity conversations in Australia (May 2023)
“AirAsia victim of ransomware attack, passenger and employee data acquired,”, DataBreaches.net (retrieved May 17, 2023)
“Data of 22.5 million Malaysians born 1940-2004 allegedly being sold for US$10k,” The Straits Times (retrieved May 17, 2023)
“Home minister: Data leak of over 22 million Malaysians not from National Registration Department,”, Malay Mail (retrieved May 23, 2023)
“Malaysia minister tells agencies to look into purported data leak involving 13 million accounts,” Channel News Asia (retrieved May 17, 2023)
“Only 20 companies fined for data breaches since 2017,” Free Malaysia Today (retrieved May 17, 2023)
Antonia Timmerman, “Sick of data leaks, Indonesians are siding with a hacker who exposed 1.3 billion SIM card details,” Rest of World (retrieved May 17, 2023)
Catalin Cimpanu, “Hacker leaks 15 million records from Tokopedia, Indonesia's largest online store,”, ZDNet (retrieved May 23, 2023)
Daryna Antoniuk, “Australia to tighten privacy laws, increase fines after series of data breaches,” The Record (retrieved May 17, 2023)
Dhondt, K., Le Pochat, V., Voulimeneas, A., Joosen, W., & Volckaert, S. (2022, November). A Run a Day Won't Keep the Hacker Away: Inference Attacks on Endpoint Privacy Zones in Fitness Tracking Social Networks. In Proceedings of the 2022 ACM SIGSAC Conference on Computer and Communications Security (pp. 801-814). Retrieved May 17, 2023
Eileen Yu, “Indonesia finally passes personal data protection law,” ZDNet (retrieved May 17, 2023)
Eisya A. Eloksari, “Fintech Cermati data breach points to urgency for data protection law: Experts,” The Jakarta Post (retrieved May 23, 2023)
Ionut Arghire, “Medibank Confirms Data Breach Impacts 9.7 Million Customers,” Security Week (retrieved May 17, 2023)
Linda Yulisman, “Indonesia hunts for Bjorka, hacker selling 1.3b SIM card users' data, taunting officials,”, The Straits Times (retrieved May 23, 2023)
R. Loheswar, “After newest data leak, lawyers say time for Putrajaya to give up PDPA immunity,” (retrieved May 17, 2023)
Author
Zhiyee Teh, Research Associate, Research Operations
