Firms urged not to rely on just passwords to secure websites

K Box yesterday was scrambling to fix its website, leading to it being intermittently unavailable, following the massive data breach on Tuesday. -- PHOTO: ST FILE
K Box yesterday was scrambling to fix its website, leading to it being intermittently unavailable, following the massive data breach on Tuesday. -- PHOTO: ST FILE

Companies that rely on just a password to secure their websites are the most vulnerable to cyber attacks, security experts warned yesterday.

Also vulnerable are those that do not scan their computers regularly for security holes, they said, pointing out that this may have been how hackers had broken into and stolen the members' database of karaoke bar chain K Box.

K Box yesterday was scrambling to fix its website, leading to it being intermittently unavailable, following the massive data breach on Tuesday.

The hackers stole and posted on various websites the names, addresses and mobile phone and identity card numbers, among other things, of 300,000 customers.

Calling itself "The Knowns", the group said the cybercrime was in protest against the recent increases in toll charges at the Woodlands Checkpoint. It had threatened to "attack and expose" more Singapore companies.

New victims, the experts said, could be anyone, from restaurants to bowling alley operators, who for years has kept members' personal data on spreadsheets in unsecured computers.

"Typically, smaller companies are easier targets," said Mr Bryce Boland, chief technology officer of California-based IT security company FireEye in the AsiaPacific.

They tend to have smaller budgets for security software and less stringent IT policies, he said.

For instance, access to sensitive data on their websites may be protected by just a username and password, and any data submitted through the website is not secured by the latest encryption technologies.

Also, Mr Boland said, when computers have undetected security holes, malicious programs can be easily installed to steal databases.

Mr Oh Sieng Chye, a locally based malware researcher at security software maker ESET of Slovakia, said: "Malicious software could have been implanted into a computer by a staff member."

This is why Mr Joe Green, Asia-Pacific head of systems engineering at network security firm Palo Alto Networks, believes in strict IT policies that prohibit certain staff from accessing particular systems.

"It can also go a long way in keeping cyber security postures watertight," he said.

Companies also should collect only what data they need, said Mr Alvin Tan, regional director for IT security firm McAfee. "And this data should be protected by encryption and constantly monitored for authorised access."

K Box, which is possibly facing fines for lax data protection, said on Tuesday night that it was undertaking a full internal probe into the theft. The breach is also being investigated by privacy watchdog, the Personal Data Protection Commission.

Privacy laws came into force on July 2 and companies found in breach of the law face fines of up to $1 million.

itham@sph.com.sg

SEE FORUM