Reputational loss, more than financial, can cause greater damage. Firms must not compromise on stepping up cyber-security
As technology progresses, much of our personal data has been moving to the digital domain. Corporations and data-driven businesses are extremely attractive targets for cyber-criminals, simply due to the large amount of data that can be breached in one single attack.
Part of this modus operandi often leads to the attacker going out to the media with the details of the breach to put more pressure on the victim, specifically by sharing some portions of customer and company data that can further cause financial and reputational loss to the organisation.
In today’s hyper-connected world, news travels fast. Lost confidence, negative press, identity theft, and potential customer’s views towards the affected company can all create long-term loss of reputation.
But more often than not, thetype of data and content shared with the media by these cyber-criminals are misleading in nature to inflict maximum damage to the organisation in question. This is also because not all media have the requisite skills to adequately conduct an audit of the data presented and check its authenticity. There have been multiple instances where data published in the media was completely different compared to the actual sources on the dark web.
A case in point is the recent alleged data breach faced by MobiKwik, where the data of users of the mobile wallet and payment app was reportedly put on sale on the dark web by a hacker. MobiKwik went on to say that it is entirely possible for a user to upload personal details/information on multiple platforms, so it’s incorrect to suggest that data available on the dark web has been accessed through its servers alone as the same sets of data could be mined from multiple sources and presented to the media.
Another example of such an instance is the alleged Bharti Airtel data breach where subscriber data — which included Aadhaar numbers, address and date of birth — was reportedly leaked by the hackers on the dark web.
However, Airtel denied any data breach and issued a statement saying that the claims made by hackers reveal glaring inaccuracies and a large proportion of the data records did not even belong to them.
Recent data breaches faced by Domino’s India and Upstox are examples of possible breaches that can be avoided in the future (Domino’s India clarified that its user data was not compromised). In both the cases, it was personal financial data of customers that was compromised and then uploaded for sale on the dark web by hackers.
Publishing data on the dark web is always part of the attack plan, so that other criminal elements can purchase the data if the extortion does not succeed.
The pattern followed by the attackers is to publish the data on the dark web if they are not satisfied with the extortion amount received. So, they sell it on the dark web and then share limited copies of the data breach to media channels for negative publicity and cause public dissonance.
But there is one question the entire industry must ask collectively: Are the ‘ethical’ hackers publishing this on a weekly basis truly independent or agenda driven? The very nature of their public naming and shaming of the companies in question seem to make their intent suspect.
The primary reason behind these breaches is the lack of adequate security layers that are mentioned on the terms and conditions of the website/service provider but are not executed in totality within their systems. To avoid this, it is crucial that businesses implement the security policies in totality and not cut costs in cyber security deployment. These data breaches are increasing in frequency as attackers have realised the potential of leveraging customer data.
The after-effects of a data breach can be quite severe and difficult to overcome for any business. Depending on the nature and scale of the breach, there are various financial problems to mitigate, stemming from data loss extending to customer litigation and disruptions to business operations.
One of the most common and avoidable loopholes is human error, which tends to create inadvertent vulnerabilities in security systems. Therefore, the solution is to always restrict information to specific departments and compartmentalise information much like how the military operates.
The other underutilised exercise that organisations should conduct are ‘bug bounty’ programmes wherein cyber-security and ethical hacking experts can check and flag the vulnerabilities before an attacker can exploit them. While these practices are common across the developed world, they are yet to be optimally used in India. Organisations should also regularly conduct third-party audits wherein the vulnerabilities can be studied by the internal and external consulting teams. These are just some of the precautionary measures that the organisations can take to avoid data breaches.
But if companies truly wish to live fearlessly, they should invest constantly and remember the statement by the great Andy Grove, who famously said, “Only the paranoid survive.”
The writer is a certified security analyst, digital forensics investigator and certified threat intelligence analyst