CYBER attacks, ransomware attacks, data breaches, and theft of financial information have been growing in number year-on-year. Wannacry, also known as Wannacrypt, and Petya, both ransomware, made headlines around the world in the second and third quarters of this year. A ransomware is a type of malicious software that renders data in storage inaccessible and unreadable. The attacker demands payment for a key that will unlock the data. The perpetrator demands payment within a short period or else the ransom will increase. The perpetrator warns its victim that non-payment of the ransom will result in the deletion of the data. Payment does not guarantee that the key will ever be provided or, if provided, will unlock the data.
https://techspective.net reported that WannaCry infected millions of systems in about 150 countries. The ransom demanded was $300 in the form of bitcoins to be paid in three days. Reports vary on how much the WannaCry perpetrators made but the same report cites a tweet from @actualransom: “three bitcoin wallets tied to #WannaCry ransomware have received 265 payments totaling 42.9251299 BTC ($76,233.26). At today’s exchange rate, that is a whopping P24,847,631.02.
The Petya attack came barely a month after the Wannacry attack. The attacker/s made off with£8,000 of ransom payments in Bitcoin or the equivalent of P544,830.48 at today’s exchange rate before the email address identified with Petya was disabled by the email provider.
Aside from a huge disruption in operations, the cost of a ransomware attack to business is quite staggering. Some estimates have put it at over a billion US dollars!
AV-Test Institute data (https://www.av-test.org/en/statistics/malware/) shows an exponential growth in the number of malware collected per year in the last 10 years. It projected about 700 million malicious programs to be unleashed in 2017.
Quite worrisome are attacks on organizations, public or private, that collect and hold personal information of their customers or citizens.
On September 7, Equifax, a consumer credit reporting agency, disclosed that close to 143 million accounts of US consumers were affected by a data breach which occurred in May to July 2017. The stolen records included personal information and credit card numbers. (Source: www.investor.equifax.com)
Yahoo, now owned by Verizon, disclosed last October 3, 2017, that three billion Yahoo user accounts were affected by the August 2013 data breach. (Source: www.oath.com)
Time Inc. owned Myspace, a popular social networking site before it was overshadowed by Facebook. Myspace was also a victim of unauthorized access to its servers but said that “the compromised data is limited to a portion of Myspace usernames, passwords and email addresses, from the old Myspace platform prior to June 11, 2013—when the site was relaunched with significant steps to strengthen account security.” (Source: www.businesswire.com)
Uber, a ride-hailing application company and, by LTFRB’s definition, a transport networking company, was also a victim of data breach in 2016 but which it disclosed only recently. Uber is now under investigation in the US and Europe for reportedly concealing the data breach incident impacting about 57 million users worldwide. Uber also reportedly paid the hackers $100,000 to delete the stolen data. (Source: www.wired.com)
Uber is under investigation by the National Privacy Commission (NPC). In a press statement released on November 28, 2017, the NPC said that Uber confirmed that personal information of Filipinos were exposed in the data breach although Uber did not provide further details, including the specific number of Filipino data subjects affected.
In the US, www.wired.com reported in June 2017 how 198 million voter records were left publicly accessible after a change in security settings. It is unclear if the voter records were actually accessed by unauthorized parties.
And, who can forget the ComeLeak, a breach that exposed personal data of close to 54 million voters a few weeks before the 2016 elections?
Personal data is exposed to risks even in a non-automated environment. Visitors to buildings willingly provide personal information at the security or reception desks and are asked to leave their identification cards in exchange for an access pass. In some buildings, data collection is done with the use of automated systems and visitors are asked to have their photos taken. Senior citizens present their identification cards at restaurants, groceries, rest rooms, drug stores, movie houses, and others to avail of discounts or free services. These establishments collect personal information, mostly capturing the data electronically. It is, however, not known what these establishments do with the personal information, how they keep it, and how they dispose of it.
A Facebook user recently posted a warning that officials in their barangay (unnamed in the post) had been going around collecting personal information of household members within their jurisdiction. When asked what the purpose of the data collection was, the FB user was told that the list will be given to the police so that stickers that will indicate a drug-free household can be posted on the houses. Will the members of the household end up in the drugs watch list if they don’t submit to the local census? In some barangays, collection of data about an alleged drug user or pusher is done through drop boxes with the provider of data remaining anonymous. Is the purpose of data collection legitimate? In a case argued before the Supreme Court en banc, a question was raised: how does one get out of the drugs watch list?
Personal data are collected without complying with the standards set in the Data Privacy Act. Personal data collection can be abused. Data collected can be misused. And there lies the danger.