Pacnet hacking exposes wider cyber issue

A Telstra field technician conducting maintenance work on one of the company's communication pillars in Melbourne, Australia, on Thursday, Aug 16, 2012. -- PHOTO: BLOOMBERG
A Telstra field technician conducting maintenance work on one of the company's communication pillars in Melbourne, Australia, on Thursday, Aug 16, 2012. -- PHOTO: BLOOMBERG

THE name will seem familiar to Singapore readers - Pacnet. It was once Singapore's second Internet service provider, before exiting the residential business here in 2012. Two months ago, Pacnet was sold to Australian telco giant Telstra.

That news received routine coverage, but a potentially bigger story went under the radar.

Barely a month later, on May 20, Telstra announced that the corporate network of Pacnet - its Asian Internet service provider - had been hacked, with the data of thousands of corporate and government customers potentially exposed to exploitation. Pacnet, headquartered in Singapore and Hong Kong, offers data centre services to carriers, governments and multinationals across the Asia-Pacific.

Telstra said the breach "occurred prior to Telstra taking ownership of Pacnet, and Telstra was made aware of the breach on finalisation of the purchase on 16 April 2015".

The Pacnet hacking received its share of coverage in Australia, but elsewhere, did not attract as much attention as, for example, the insider theft of HSBC Private Banking's client data.

Here lies the rub: Everyone is a victim when a data breach happens - both the organisation and its customers. Regardless of how and where the breach occurs, the individual customer ultimately will be at the receiving end.

The Telstra-Pacnet incident is relevant for companies undergoing mergers and acquisitions, but there is a broader lesson: Cyber security works best when it is focused on data privacy.

Lessons for others

SO, WHAT can companies do differently from Telstra and Pacnet? I suggest three aspects:

  • Cyber security reviews must be part of due diligence. Pacnet informed Telstra of the breach only after the transaction. This raises questions about the due diligence process. Did Telstra review Pacnet's security maturity levels?

Typically, a more thorough review is conducted only during the integration phase, post-acquisition, and not during. In today's heightened cyber risk environment, security reviews must be an essential part of due diligence.

In September last year, hackers breached the customer database of Singapore karaoke chain K Box and posted the personal details of over 300,000 members online.

Seven months before the breach, K Box had been sold to another investor. Was a thorough security review of K Box done during the sale process?

  • Mandatory, early disclosure is essential. A recent experiment by security broker and data protection company Bitglass saw a fake file of credit card and personal data travel across 22 countries and five continents in just 12 days. Point noted: Responses to breaches must be fast, to mitigate risks and reduce harm.

Due diligence is prevention. But the Bitglass experiment shows the speed at which data privacy can be compromised. It is important that the victim, as soon as possible, inform all relevant stakeholders - especially the authorities and customers, so they can protect themselves against fraud and misuse.

In February this year, the database system of Nanyang Polytechnic was compromised, and the bank details of about 240 former students stolen. The polytechnic notified individuals on Feb 5, explaining there was "unauthorised access" to its system on Jan 14. Could these individuals have been informed earlier?

Laws requiring mandatory reporting must be effective to mitigate the fallout from data breaches. Yet, most Asia-Pacific jurisdictions do not have mandatory breach notification laws.

Companies are "encouraged" to do so, and we all know how that works. Indeed, non-disclosure is not an option; neither is timely disclosure.

The Singapore Personal Data Protection Commission issued guidelines last month to "encourage" companies to notify individuals and the commission of data breaches. This is not mandatory, but the rules allow the commission, as part of an investigation, to view the affected company as having failed its obligations to adequately protect personal data.

  • Cyber security is about personal data protection. Recently, cyber incidents have been described in the same breath as personal data breaches, unlike in the past, when personal data protection received mostly just a mention.

This increased linkage between cyber incidents and personal data is for a good reason: In the digital age, many companies, especially telcos and Internet service providers, are investing a lot in data collection, analytics and digital initiatives.

The same companies cannot afford to be short-sighted, but must invest as much in cyber security for data privacy protection.

Hindsight is always 20/20 and it is easier to critique what has happened and discuss what should have been. However, every breach is one breach too many. When it happens, it behoves us to learn from it. Failing to do so is the greatest risk.

stopinion@sph.com.sg

The writer has worked as a security consultant at KPMG and Verizon. He is a director of Measurity, which helps companies tackle technology governance challenges.