Asian delivery and rental company Bykea exposed its production server information and allowed access to over 200GB of data containing more than 400 million records showing customers’ full names, locations and other personal information.
BYKEA response: We would like to clarify that a vulnerability was reported to BYKEA in an ethical manner and was patched before it could be exploited.
Information Security Buzz (aka ISBuzz News) is an independent resource that provides the experts comments, analysis and opinion on the latest Information Security news and topics
<p>The reported data breach from Bykea in Pakistan is not so much a breach as a lapse of basic system administration standard practices. Leaving a server accessible to the open internet with no authentication and no encryption is almost hard to imagine in 2021. Here, a misconfiguration has revealed customer, business, and employee information that could easily be used for social engineering, identity theft, and other attacks. While exposing the infrastructure made their environment vulnerable to a range of attacks, including data theft and ransomware.</p> <p> </p> <p>This highlights how important following industry best practices is for basic administration tasks, let alone for information security. Fortunately, there are a range of tools that can help prevent these lapses, from system automation tools in the SysAdmin world to security analytics on the security side.</p>
<p>This is a case study in why every government needs to step in and enforce some fundamental data privacy protection legislation with penalties. Not too long ago, attackers deleted this company’s customer data base – but they had backups and were back in business.</p> <p> </p> <p>Now, because of a failure to practice fundamental encryption to protect their customers’ data, some 400 million peoples’ financial, location, national identity cards and personal data has been exposed, and their lives are likely to be upended at some point.</p> <p> </p> <p>In 2021 encryption should be a no brainer. The first step must be better regulation governing all organizations collecting financial data and requiring them to use encryption. That mandate must come from all national governments large and small, with superpowers such as the US taking a lead, and with Zero Trust policies enforced as well.</p> <p> </p> <p>Here in the US, we also lack requirements of businesses that reflect the practices mandated by the EU-US privacy Shield and GDPR. It’s past due time, and until our legislators take strong and informed actions, people are only going to continue getting hurt.</p>
<p>It is hard to believe that with the ever-increasing threat of a cyber-attack, there would be such a careless disregard of basic cyber hygiene. On the surface, the lack of establishing or even following documented security hardening standards, providing basic encryption of customer and proprietary data, and the disregard of generally accepted IT operational best practices, provides evidence that Bykea has not learned much from their previous (September 2020) cyber incident. I would hope that this new “wake up” call does not come too late for Bykea who may start to see competitors exploiting this latest incident for their own benefit by chasing customers who are disgruntled that Bykea has historically acted so carelessly with their data.</p>