Data Breach: Not A Matter to Clown Around With

A. Introduction

Over the last decade we have stood witness to the rapid growth of the Internet of Things, where common objects have new and improved capabilities and central control systems. This has evolved to the overarching concept of the Internet of Everything, which aims to bring together people, process, data and things into one simplified, connecting network. Despite the long-drawn list of positives surrounding the Internet of Everything, the biggest drawback of it has is that it poses new, unprecedented challenges. One such challenge lies in the realm of cyber security and the challenge of managing enormous amounts of private data stored in the clouds.

The unexpected visit from the COVID-19 pandemic, led to these challenges being brought to the limelight and being the center of discussion, especially amongst employers. This stems from most countries imposing lockdowns and mandatory remote working orders. Companies then found themselves in a situation where their employees are dealing with confidential information from unsecure home Wi-Fi Networks. This in turn increased the company’s susceptibility to cyberattacks. An INTERPOL report during the start of the pandemic noted that cybercrimes were increasing “at an alarming pace, exploiting the fear and uncertainty caused by the unstable social and economic situation created by COVID-19”.¹ This has not stopped till today. Although it may have begun with simple scams such as phishing emails, since the start of 2021 this has escalated into cyberattacks towards large organizations, and an increase in ransomware and double-extortion crimes. The most recent cyberattack was towards the international fast food chain, McDonalds.

B. McDonalds Data Breach

Approximately a month ago, news broke that McDonalds had been hit by a data breach. Such breach had occurred from the United State of America (“USA”) , compromising the data of its South Korea and Taiwan customer database. The breach was discovered when the fast-food chain had noticed unauthorized activity in its account. Upon such discovery, McDonalds began an external investigation into the matter, during which the data breach was ascertained. According to McDonalds, the attackers had obtained customers emails, phone numbers and deliver addressed in both South Korea and Taiwan, and also stolen employee contact information from its Taiwanese operations.² The breach did not extend to payment information and according to the company only affected a very small number of people.

The fast-food chain credited the minor breaches to their ‘substantial investment’ thus far in cyber security, which enabled them to identify a breach promptly and act swiftly.³ They have also pledged to further enhance their security systems to ensure such a breach no longer occurs. Fortunately for the company there was no ransom demand, and they were able to overcome the breach internally.

C. A Flurry of Cyberattacks

Although the attack on McDonalds security system is seen to be on the lesser end of the spectrum, some have argued that this was the third consecutive incident in a series of attacks throughout the months of May and June.

Colonial Pipeline

The first of these instances was that of the Colonial Pipeline. Colonial Pipeline provides approximately 45% of the USA’s East Coast fuel supply and is the largest pipeline operator in the USA. In the beginning of May, they were forced to shut down operations temporarily and freeze its operations due to a cyberattack. It was reported that approximately 100GB of corporate data was stolen in the first two hours, and this was increasing rapidly, until the system was completely shut down.⁴ The company was then threatened that all the stolen data would be leaked online unless a ransom was paid.

Ultimately, due to national security concerns, Colonial Pipeline paid a total of $4.4million in Bitcoin to the hackers. The hack was eventually traced to the group DarkSide, who is known for attacking the business side of businesses rather than their operational systems. Notorious for their double-extortion campaigns,⁵ they have been coordinating ransomware attacks since 2020. Some have even reported that DarkSide tends to play Robin Hood by attacking big corporations and collecting ransom, before donating the ransom collected to charities. Just yesterday, DarkSide claimed responsibility over the Guess ransomware attack. This cyberattack breached the fashion brand’s employee database, extending but not limited to their Social Security , passport and financial account numbers.

However, it is important to note that due to the international condemnation the group has received from its Colonial Pipeline attack alongside heave law enforcement scrutiny, DarkSide is no longer in operation. Yet, they are not the only one’s capable of such an attack, and companies still need to remain vigilant over their cybersecurity..

Electronic Arts (“EA”)

Illustrating that not just DarkSide is capable of such attacks, a day before the McDonald’s breach, the major game publisher EA had its source code stolen from them.⁶ Approximately 780GB of data was stolen from EA. However, this primarily revolved around the source code and game engines for many of their high-profile games, such as FIFA 21, without any breach in the players’ data.⁷ Although there have been reports stating that the stolen source code has been put up for sale, there was still no demand for ransom.

The breach to steal source code’s is nothing new, and even happened in February this year to the maker of the video game Cyberpunk 2077. However, in that instance, there was a ransom attack, and information pertaining to the company’s accounting, HR, legal administration, and investor relations were also compromised. The data stolen was supposedly sold off for $7 million. However, there was no official statement from the makers relating to this sale. Regarding the attack on EA, the company is currently collaborating with law enforcement officials to investigate the cyberattack.

D. From a Malaysian Standpoint

Malaysia is no foreigner to such attacks. Even as recently as May 2021, Malaysia was impacted by the cyberattacks endured by the French insurer Axa.⁸ Understanding that no nation is immune from cyberattacks, the pertinent question then becomes what are the protection mechanisms in place to deter such attacks?

In Malaysia, any cybercrime falls within the ambit of the Computer Crimes Act 1997 (“CCA”). The CCA governs all offences surrounding the misuse of computers and penalizes such misuse. Cyberattacks are governed under Section 5 which states that “A person shall be guilty of an offence if he does any act which he knows will cause unauthorized modification of the contents of any computer”. This section covers the offences of ransomware, trojans and even spyware. However, there is no reported cases on this to date. Anyone found guilty under the CCA will be liable to “to a fine not exceeding one hundred thousand ringgit or to imprisonment for a term not exceeding seven years”.

Another relevant legislation is the Communications and Multimedia Act 1998 (“CMA”). The CMA governs the utilisation of network services with its scope encompassing the administration and other multimedia operation requirements. However, the CMA does not govern double-extortion cyberattacks.

Instead, offences involving extortion fall under the Penal Code. Section 383 of the Penal Code states that “Whoever intentionally puts any person in fear of any injury to that person or to any other, and thereby dishonestly induces the person so put in fear to deliver to any person any property or valuable security, or anything signed or sealed which may be converted into a valuable security, commits ‘extortion’”. Arguably, this section is applicable to instances of cybercrime extortion, like one suffered by Colonial Pipelines, where payment was extorted from the company. However, in Malaysia, there has yet to be a judicial decision on this matter, specifically pertaining to cybercrimes, extortion or double-extortion.

In cases of ransom demands, it is also important to note that unlike the USA and the United Kingdom, there is no law in Malaysia that makes such payment illegal. It cannot be denied that with a scarcity of legislation in this area, there is then a higher risk factor when it comes to making such payments.

Ultimately, with the rise of cyberattacks, it is time for Malaysia to step up its game and enact stronger laws to protect business from falling victim to these crimes. Although initiatives such as the Malaysian Computer Emergency Response Team and the National Cyber Security Agency have been established, the scarcity of local concrete legislation makes it harder for the law enforcement authorities to assist victims of such crimes.

E. Conclusion

Cyberattacks are no longer only a concern for big multi-million-dollar companies, but has now become a concern for everyone. The rise of COVID-19 vaccinations programmes worldwide, and even country specific ones such as MySejahtera in Malaysia, increases the susceptibility of these attacks. A whole nation can be targeted through a hack of one mobile application or website. Thus, governments play a crucial role in ensuring that the privacy of their citizens are protected and not susceptible to cybercrimes. With rising privacy concerns, it is pertinent to begin working towards ensuring that there are proper legislations and governing frameworks should a cyberattack occur. Ultimately, in today’s day and age, data breaches should not be taken lightly and there should be appropriate measures in place to guard against cybersecurity threats.

Footnotes

1. INTERPOL, ‘Cybercrime: COVID-19 Impact’, August 2020.↩
2. Heather Haddon, ‘McDonald’s hit by Data Breach’, The Wall Street Journal, 11 June 2021, <https://www.wsj.com/articles/mcdonalds-hit-by-data-breach-in-south-korea-taiwan-11623412800>.↩
3. ‘McDonald’s hit by data breach in Taiwan and South Korea’, BBC, 11 June 2021, <https://www.bbc.com/news/business-57447404>.↩
4. Jordan Roberson and Willian Turton, ‘Colonial Hackers Stole Data Thursday Ahead of Shutdown’ Bloomberg, 9 May 2021, <https://www.bloomberg.com/news/articles/2021-05-09/colonial-hackers-stole-data-thursday-ahead-of-pipeline-shutdown>.↩
5. A double-extortion campaign is where a victim is not only locked out of their systems but also information has been stolen from them.↩
6. Source codes are the human-readable version of a computer program before it is transformed for use.↩
7. ‘EA: Gaming giant hacked and source code stolen’, BBC, 10 June 2021, < https://www.bbc.com/news/technology-57431987>.↩
8. ‘Axa IT ops in Malaysia, HK, Thailand and Philippines impacted by ransomware cyber attack’, The Star, 17 May 2021, < https://www.thestar.com.my/business/business-news/2021/05/17/axa-it-ops-in-malaysia-hk-thailand-and-philippines-impacted-by–ransomware-cyber-attack>.↩