comment 0

Another Day, Another breach

220,000 is a lot of people. It’s the population of a small town like Taiping, and roughly twice the capacity of Bukit Jalil Stadium.

Yet today, a data breach of this size, barely registers in the news-cycle. After all, the previous data breach was 200 times bigger, and occurred just 3 months ago. How could we take seriously something that occurs so frequently, and on a scale very few comprehend.

Individually, each breach is not particularly damaging, it’s a thin thread of data about victims, but they do add up. Criminals use multiple breaches, and stitch together a fabric of the victims identity, eventually being able to forge credit card applications in their name, or to perform typical scams.

But if you’re thinking of avoiding being in a breach, that’s an impossible task. The only Malaysians that weren’t part of the telco breach, were those without mobile phones. In the organ donor leak, the victims were kind-hearted souls who were innocent bystanders in the war between attackers and defenders on the internet.

The only specific advice that would work, would be to not subscribe to mobile phone accounts and don’t pledge your organs. That is not useful advice.

I wanted this post to be about encouraging people to stop worrying about data breaches, and move on with their lives. To accept that the price of living in a hyper-connected world, is that you’ll be data breach victim every now and then — I wanted to demonstrate this by actually going out and pledging my organs to show that we shouldn’t be afraid.

But when I went to the Malaysian organ donation website (demarorgan.gov.my), I was greeted by all too common “Connection is Not Secure” warning. Which just made my head spin!

In other words, a website that was probably already breached, is continuing to accept registrations over a insecure connection, and all because it can’t implement TLS?

This is 2018, you can fix this problem for free! My personal website has TLS (and sayakenahack most definitely had has it as well), and yet a government owned web property, that ask for very personal user data doesn’t implement basic encryption. Tsk tsk tsk!

If you can’t implement simple encryption on your webpage properly, heaven knows what else you shoddily implemented, and it’s no wonder you got breached.

I’d be remiss to tell you that the Election Commission website also commits the same error, and so do many others.

Data breaches are going to continue happening, and the government needs to have a effective response to them, the current response is ineffective (if you consider it a response at all!) For now though, I’ll still pledge to donate my organs — just on that webpage, and you should do the same too

#YourComment