ABET DE LA CRUZDec 24th 2019 · 3 min read
ABET DE LA CRUZ
I thought the moon would sever itself from Earth’s orbit in 1999, and for the upcoming year I hope an Undersea Laboratory would come to fruition. (If you get all of what I’m saying then — Man You OLD! — I know how that feels!)
Other than the Trump administration listing “Wakanda” on the government website as a Free Trade Partner, there is quite a bumper crop of security incidents and events that has happened in our country this 2019.
In August, the Philippines from a report published by security company Kaspersky, moved from 9th place in 2018 to 5th place in the global most cyberattacked country list. The report was based from statistics detected by their anti-malware software garnering 37.4 percent or 7 million Kaspersky users in the Philippines, the first four being Algeria (44.1 percent), Nepal (43 percent ), Albania (40.1 percent) and Djibouti (37.9 percent).
Another report that was published in the same month by Arkose Labs in its Q3 Fraud and Abuse report names the Philippines as the top originator of cyberattacks for both automated and human-driven attacks with the United States in a distant second.
It seems were getting high marks in both spectrum of cyberattacks both as the victim and the perpetrator.
Early on in the year in January, Cebuana Lhuiller, a firm well-known in the country for pawn broking made international headlines when information of its 900,000 or roughly 3 percent of its total clientele was endangered. The report stated that a compromised email server revealed personal information of some clients including their source of income but that transaction details in the main server were unscathed. The worrisome thing was that the breach had gone undetected since August of the previous year.
This comes in the heels of two well-known fast-food chains were also the subject of investigation of the National Privacy Commission (NPC) just last year. Wendy’s which lost 82,150 records containing personal data which included customer information, job applicants, addresses, passwords, payment method and transaction details; and Jollibee, whose online ordering portal were discovered to have vulnerabilities.
Speaking of the NPC, 26 online lending companies were ordered shut down this October after it was discovered that they might have been using personal data obtained from loan applications to Publicly shame borrowers that have defaulted on their payments. Ordered to stop personal data processing were online applications: Cash bus, Cash flyer, Cash warm, Cashafin, Cashaku, Cashope, Cashwhale, Credit peso, Flash Cash, JK Quickcash lending, Light Credit, Loan motto, Moola Lending, One cash, Pautang peso, Pera express, Peso now, Peso tree, Peso.ph, Pesomine, Pinoy cash, Pinoy Peso, Qcash, Sell loan, SuperCash and Utang pesos.
Even the military was not spared as hackers managed to infiltrate the Philippine Army’s recruitment site. Hackers carted away more than 50,000 personal information of applicants and 20,000 details of Armed Forces of the Philippines (AFP) personnel. Meanwhile as the same military contemplates of a ‘co-location’ agreement with several local telephone company operators and a China-based Telco, concerns have risen of whether there would be a risk of spying should the AFP ink a deal with any of them. But of course, given its history and penchant on espionage, all eyes are on one of the participants — Dito Telecommunity of China. Certain sectors in the military are wary that they could be a legitimate threat. In fact, in a report published this month by the Military confirms of a “Spying risk” should a deal be made with the China-backed telco.
On the Legislation and Regulation front, the antiquated Republic Act 8484, or the “Access Device Law of 1998,” got a much needed “facelift” as it was amended with extra prohibitions and increasing penalties, now known as RA 11449, it boasts of provisions specific to banking fraud covering acts and possession of software or hardware intended to commit such acts. The penalties are no joke either as one could get 3, 6, 12 and up to 20 years in jailtime and 300,000 to 5,000,000 depending on the severity of the offense.
As the year draws to a close, we recall all the things that we have gone through for the past 365 days. There lies always a reckoning of the past or an assessment if you will, whenever one feels that there is a new phase, a chapter, or even an imminent ending that’s about to happen and a New Year brings these all to us.
Unfortunately for information security and privacy, the New Year isn’t a magical period where we can forget the past and just move on. The actions and controls you have started will always need improvements as the techniques and threat actors improve over time. The good news is that (mostly) new year means another opportunity to increase your budget and bring in more tools or reinforcements to augment your current arsenal. Not to sure about personnel though, as it is still very hard to get good security people — but with artificial intelligence or AI and other advance security tools coming in, these should alleviate if not resolve those pesky manpower problems.
For those watching the beachheads of their information technology systems for possible security attacks or incidents, Holidays don’t really mean that the bad guys are taking a break as well. In fact, it is their favorite season as people are more relaxed and thus tend to let their guard down. Who wants to work during the holidays anyways?