The top 10 APAC data breaches

Vulnerability of data and all-round cyber security in the Asia-Pacific (APAC) region is a growing concern.

According to Raymond Teo, cyber leader at PwC South East Asia Consulting, data breaches are a pervasive menace. “As cyber threats continue to increase in frequency and sophistication, a holistic approach to cyber security has become a top priority for C-suites and boards,” he says. “Companies are strengthening their cyber defenses and regulators are applying pressure to improve cyber resilience and build public trust.”

Despite this, the APAC region has unfortunately been a hotbed for serious data breaches in 2023 a – as the following 10 high-profile incidents demonstrate.

Tasmanian education data exposed

In April of this year, the Tasmanian education department in Australia fell victim to a cyber attack that led to the exposure of thousands of documents on the dark web, many of which contained sensitive personal information of schoolchildren. 

The state government promptly acknowledged the breach, admitting that financial records and invoices, some containing the names and addresses of students and their parents, had been compromised. These documents were illicitly procured by the hacking of GoAnywhere MFT, a third-party file transfer service.

Initially estimated at 16,000 compromised documents, the scope of the attack expanded to impact an additional 14,000 individuals as investigators delved deeper into the data breach. 

In response to the crisis, emergency management protocols were activated, and the education department initiated outreach to approximately 150,000 individuals and businesses whose data was potentially jeopardized. Notably, the hackers abstained from issuing any ransom demands, though the Australian federal government strongly advised against entertaining any such requests for funds.

Samsung ChatGPT leaks

In April it was reported that employees at Samsung had breached confidentiality protocols by sharing sensitive company data with an AI-powered chatbot ChatGPT. The Economist Korea reported three distinct incidents of data leakage. 

Samsung had previously expressed concerns that ChatGPT could potentially divulge proprietary information and had cautioned employees to prioritize internal information security and from entering private data. However, within a mere 20 days, three different company engineers were implicated in these incidents.

One engineer allegedly fed Samsung source code into ChatGPT in a quest to resolve a software bug, while another recorded a confidential company meeting, transcribed it using an audio-to-text application, then inputted the transcript into ChatGPT to generate meeting notes. The third engineer used ChatGPT to optimize a test sequence for identifying defective chips. In response, the company reportedly initiated disciplinary inquiries for all three individuals.

Toyota customer information compromised

It came to light in May that a cloud misconfiguration within Toyota's server infrastructure may have exposed sensitive data belonging to over two million customers. The security lapse made sensitive information accessible to unauthorized entities for users of Toyota services such as T-Connect, G-Link, G-Link Lite and G-BOOK, with data spanning from January 2, 2012 to April 17, 2023.

The compromised data included location details of affected vehicles, timestamps of their presence at these locations, as well as the in-vehicle terminal ID and Vehicle Identification Number (VIN). Additionally, unauthorized parties might have gained access to external vehicle video footage from a drive recorder used in Toyota corporate services between November 1, 2016 and April 4, 2023.

Toyota attributed the cloud misconfiguration to inadequate data handling rules and said it was taking corrective measures, including comprehensive employee education, ongoing monitoring of cloud settings and auditing the cloud environment to prevent future incidents. 

Latitude attack causes breach 

In March, Latitude Financial, an Australian financial services firm, reported a data breach after detecting unusual activity within their systems. An attacker managed to acquire employee login credentials, which were subsequently used to access personal customer data from two service providers.

Initially, the company stated that the breach impacted 328,000 customers, primarily involving driver's license details. However, updates revealed that passport copies, passport numbers and Medicare numbers were also compromised and the breach affected customers in both Australia and New Zealand.

Latitude Financial later disclosed that over 14 million customers were affected. The stolen data included 7.9 million Australian and New Zealand driver's license numbers, around 53,000 passport numbers, 100 monthly financial statements and 6.1 million records dating back to at least 2005.

Customer names, birthdates, addresses and phone numbers were also among the compromised information.

Search uncovers Bangladesh citizen details 

In July, the website TechCrunch revealed that the personal information of over 14 million Bangladeshi citizens was accidentally exposed through the Office of the Registrar General, Birth and Death Registration's website. South African security firm Bitcrack Cyber Security corroborated the data leak, which included names, phone numbers, emails and national ID numbers.

In fact, it was Bitcrack researcher Viktor Markopoulos who accidentally discovered the breach in late June and notified the Bangladeshi e-Government Computer Incident Response Team (CIRT). The Bangladesh government responded by taking down the exposed data.

Markopoulos said finding the data was “easy” as it simply appeared in a Google result. “I was Googling an SQL error and it just popped up as the second result,” he told TechCrunch.

Markopoulos warned that the data could have been used in the web application to access, modify, and/or delete the applications as well as view the Birth Registration Record Verification.

Patient data stolen from pathology clinic

A recent cyber security incident at the Australian pathology clinic TissuPath potentially exposed ten years' worth of referral letters.

TissuPath said it was investigating the potential data exposure, which could include scanned pathology request forms containing patient names, dates of birth, contact details, Medicare numbers and private health insurance information. 

The incident, discovered in the last week of August, was said to have been caused by an attack on a third party supplier that led to a storage drive being accessed.

Upon being informed of an attack, the TissuPath response team identified the user accounts that were potentially compromised and disabled access to all systems, then enforced password reset once security measures had been completed and access was restored.

TissuPath said the data potentially included referrals for suspected cancer patients between 2011 and 2020. According to the company, the data is kept for 20 years under National Pathology Accreditation Advisory Council (NPAAC) guidance.

Indonesian passport data offered for sale

The data of over 34 million Indonesian passport holders stored by the Immigration Directorate General was reportedly breached by a hacker known as Bjorka earlier this year. This cyber attack came to light in July after being revealed via cyber security researcher Teguh Aprianto's Twitter account. 

According to the Jakarta Post, the leaked data included full names, passport numbers, expiry dates, dates of birth and genders of the passport holders and was offered for sale at $10,000.

Bjorka was also reported to have provided one million samples of the stolen data on a hacker platform. The Indonesian Communications and Information Ministry launched an investigation into the reported breach but could not confirm the extent of the personal information compromised.

The incident was one of a series of recent data breaches in Indonesia, with the Communications and Information Ministry documenting a minimum of 94 reported database breaches. The country passed the Personal Data Protection Law in September 2022 to enhance data security and citizens' control over their personal information online.

Pareto Phone charity data woe

A cyber attack on Brisbane-based telemarketing firm Pareto Phone resulted in the exposure of thousands of Australian charity donors' personal information on the dark web. ABC reported that the telemarketer was found to have retained donor data dating back nine years, sometimes without the knowledge of the charities and potentially violating privacy laws. 

Charities such as the Cancer Council, Canteen and the Fred Hollows Foundation confirmed the publication of donor information on the dark web.

The Fred Hollows Foundation disclosed that 1,700 of its donors were impacted and expressed deep disappointment, emphasizing the need for data to be securely managed and disposed of in accordance with privacy principles. However, it said that based on information from Pareto Phone, the breach did not involve financial, credit card or bank account information.

The data breach was thought to have impacted a minimum of 4,300 individuals. According to ABC, more than 70 Australian charities used Pareto Phone, although not all were affected. 

Ransomware attack hits Australian law firm

Australian commercial law firm HWL Ebsworth fell victim to a ransomware attack earlier this year, with Russian-linked hackers claiming to have obtained client information and employee data.

The April attack, first reported by the Australian Financial Review, became clear when ALPHV (also known as BlackCat) ransomware group posted on its website that four terabytes of data had been stolen, including employee CVs, IDs, financial reports, accounting data, client documentation, credit card information and a complete network map. A number of sample documents were included on the website post. 

HWL Ebsworth notified the Australian Cyber Security Center and a spokesperson for the firm said: “The privacy and security of our client and employee information is of the utmost importance to us. As soon as we learned of this potential incident, we acted quickly to respond to the threat and have been working with third-party experts to determine the validity of the claims, and to ensure the ongoing safety and security of our systems.”

BSI data incident reported

May 2023 saw Bank Syariah Indonesia (BSI), the country's largest Islamic lender, liaise with regulators to enhance its cyber security following reports that account information of 15 million customers had been exposed online.  
Following the reports, BSI asserted that recovery, audit and mitigation efforts were underway to prevent similar disruptions.

Indonesia’s central bank reported that the lender's financial services, including ATM withdrawals and online banking, were disrupted on May 8 due to "interference" in its system, but that the problem had been resolved by May 9.

According to Reuters, hacker group LockBit 3.0 claimed responsibility for the attack. The hackers, who had previously targeted French defense and technology group Thales, said they had accessed BSI data on May 8 and published it online the following day. According to cyber security expert Teguh Aprianto, the leaked details included bank account holders, numbers, balances and transaction histories.