Following the news about a data breach in Hong Kong, where two laptops containing the details of 37 million voters have been stolen. Some are saying this could be the city’s largest data breach. IT security experts from Security Consultancy, Derivative Technology and Bitglass commented below.
Efe Orhun, Managing Partner & CISSP at Derivative Technology:
“Given that Election Committee members didn’t know there was a backup centre it’s likely the culprit is potentially an insider familiar with the election’s fallback planning . If this was an insider job, it’s unclear whether the data encryption will be any use because if the culprits are familiar with the fallback procedures, they are likely also familiar with how to access the laptops. And besides, if it was government sponsored, full disc encryption may not be an obstacle either.
While there appears to be some data compartmentalization issues in keeping Election Committee member data with the general voter data, the more important thing to look for is targeted phishing of Election Committee members and follow up attacks. It’s likely this was a recon for something bigger.”
Eduard Meelhuysen, Head of EMEA at Bitglass:
“Of all the data breaches in the headlines, it’s the public sector stories that are the most alarming. Whether it’s the NHS or the Hong Kong Registration and Electoral Office, these organisations need to remember their duty of care, not to mention legal obligations, to protect citizens’ and employees’ data. This means not only keeping sensitive data encrypted, but also controlling where it goes using tools like access control and data leakage prevention. Is it really a business necessity to store the information of millions of citizens on a laptop that’s being taken to a tradeshow?”