It’s been reported this morning that a payment website – Government Payment Service Inc.- used to process US government payments for traffic citations, court-ordered fines, bail payments and more has leaked more than 14 million customer records. The leak included names, addresses. phone numbers and sections of the credit card number used. IT security experts commented below.
Andy Norton, Director of Threat Intelligence at Lastline:
“Another day another breach. An abundance of caution has become the default cyber notification, philosophy or cyber risk culture advocated by legal counsel following a data breach. Unfortunately we need organisations to be abundantly cautious before, not after a data breach occurs. We need organisations to Adopt AI and behavioural intelligence to reduce the risk from malicious encounters. Every organisation has a responsibility to protect our sciences, culture and freedoms. We have unpredictable opponents with obscured intentions whose constant changes suppress our awareness to the actual dangers we face. Notifications out of an abundance of caution, are really just admissions of, “too little too late”. This is because we have not created a culture that addresses the asynchronous nature of cyber conflict, of unprepared defenders constantly underestimating and failing to resist the intentions of a more sophisticated attacker.”
James Hadley, CEO & Founder at Immersive Labs:
“While the article highlighted that the fix for these types of breaches is simple and incidents are preventable, these organisations should already know better and hold the security of their data to higher standards. With the ever-increasing cyber skills shortage, getting the right people to ensure these errors aren’t overlooked has proven to be increasingly difficult. One solution would be to provide better all-round cyber training on a continuous cycle to ensure cyber teams are kept up with the latest best practice. This could ensure that even non-cyber security professionals learn to be more security conscious and provide a bigger barrier when it comes to cyber criminals carrying out these easily preventable attacks.”
Lillian Tsang, Senior Data Protection and Consultant at Falanx Group:
“If we put it into context against the GDPR, the breach has resulted in a high risk to the rights and freedom of individuals. There is the potential for identity theft, fraud and even of cloning, depending on the full scale of the type of information leaked. The mastery held by hackers and the “trades” in personal information in the murky underworld is limitless.
Although the data has been leaked – this in itself is somewhere in the murky lands of it being potentially exchanged, manipulated and cloned. This part cannot be controlled. However, what can be controlled is the frequency of periodic reviews of systems and controls. GovPayNet acknowledges, “it did not adequately restrict access to authorised recipients”. This could have been picked up during a Data Protection By Design and Default approach or the use of DPIAs, particular for projects such as an online portal in this instance where the velocity and volume of personal data is incredibly high. Even where Data Protection by Design and Default has not been mandated in a country – its equivalent or standard risk assessments used in industry or specific sectors would be a good start for product and service development that processes personal data.
Whether there has been a leak of login details – naturally customers should be advised to change logins and passwords with advice on the strength of passwords. “Cat” as a password may not cut it. “Cat2Twinkles6Liberty$” may. Reciprocal approach – entities serves customers. Customers get informed as well. Banks and relevant institutions ought to be notified. Several communications should be used, as opposed to a single contact channel and not part of a by-line with marketing material and general newsletters. Direct emails and SMS are good examples. Banners on corporate website and advertisement in print media may also be an avenue to explore.”
The opinions expressed in this post belongs to the individual contributors and do not necessarily reflect the views of Information Security Buzz.