What is a Data Breach? 

Data breach refers to any cybersecurity incident where sensitive or confidential data belonging to individuals or organisations is accessed by unauthorised personnel. The data includes Personally Identifiable Information (PII), private credentials, intellectual property, and other classified information. It is important to note that not all cybersecurity incidents or cyberattacks constitute data breaches, as in the case of Denial-of-Service (DoS) attacks. 

How Does a Data Breach Occur? 

Data breach occurs mainly through cybersecurity incidents to compromise systems or networks to gain unauthorised access. Common data breach attack vectors include: 

• Phishing attacks: Social engineering tactic which manipulates individuals into revealing sensitive information or private credentials through legitimate emails, messages or calls. 
• Malware infections: Refers to programs or codes designed by attackers to infect devices, disrupt operations, or compromise systems. Sensitive data may be extracted by these attackers for unauthorised purposes or to demand ransom, as in the case of ransomware. 
• System vulnerabilities: Refers to weaknesses in systems that attackers can exploit. Such weaknesses include system misconfigurations or unsecured networks and devices. 
• Insider threat: Malicious or negligent individuals within organisations may intentionally or accidentally misuse their access to systems and data. As such, sensitive information may be disclosed, or vulnerabilities are created for attackers to take advantage of. 
• Supply chain attacks: Occurs when attackers target third-party systems such as an organisation’s suppliers, vendors, or managed service providers to gain access to the organisation’s data. 
• Man-In-The-Middle (MITM) attacks: Steal data or credentials through interrupting the traffic between the victim and the target server. 

Implications of Data Breaches 

Data breaches disrupt business operations, potentially leading to revenue losses for organisations. Additionally, they have adverse effects on organisations’ reputation, impacting their market position and share value. When personal data is compromised, companies not only face financial losses due to legal penalties and compensation but also lose trust from their customers. The impact of data breaches varies based on their extent and the parties affected. In highly regulated industries, breach consequences can be particularly severe where organisations incur significant penalties. 

What Should You Do When Encountering a Data Breach? 

Before responding to a data breach, organisations should be aware of the applicable regulations to ensure compliance with legal requirements. Note that the information herein is not presented as a source of legal advice. Some of the regulations in the Asia-Pacific region include: 

• Singapore: Organisations must adhere to the Personal Data Protection Act (PDPA). In the event of a data breach, organisations have 30 calendar days to assess if the breach is notifiable. Under the Personal Data Protection (Data Breach Notification) Regulations 2021 (PDP(DBN) Regulations 2021), the Personal Data Protection Commission (PDPC) must be informed within three calendar days once the breach is deemed to be notifiable. 
• Hong Kong: Organisations must comply with the Personal Data (Privacy) Ordinance (PDPO) and are advised to follow the Guidance Note issued by the Office of the Privacy Commissioner for Personal Data (PCPD). The Guidance Note provides frameworks to assist organisations with data breach prevention and response. 
• Malaysia: The Personal Data Protection Act 2010 (PDPA) encompasses personal data and the regulation of personal data processing in commercial transactions. Data breach notification is not mandatory, but it can be done through a Data Breach Notification form issued by the Personal Data Protection Commissioner (PDPC). 
• China: Organisations must adhere to the Cybersecurity Law (CSL), Data Security Law (DSL) and Personal Information Protection Law (PIPL). Under these laws, security incidents must be reported to the relevant authorities, such as the Cyberspace Administration of China (CAC), and if necessary, to affected individuals. 
• Indonesia: The Law No.27 of 2022 on Personal Data Protection mandates that organisations notify the government and affected individuals within 72 hours of becoming aware of a data breach. 
• Australia: Part of the Privacy Act 1988, the Notifiable Data Breaches (NDB) Scheme requires the Office of the Australian Information Commissioner (OAIC) and affected individuals to be promptly notified of eligible data breaches. 
• South Korea: The Personal Information Protection Act (PIPA) requires organisations to notify data subjects within 24 hours of discovering the breach and to notify the Personal Information Protection Commission (PIPC) if the breach affects 1000 or more data subjects. 

Guidelines vary across countries, including the criteria for notification, timeframes, and penalties. Different sectors also face specific regulations for data breaches. For instance, owners of critical information infrastructure must notify the Commissioner of Cybersecurity of the Cyber Security Agency (CSA) of Singapore, while organisations processing personal data of European Union (EU) residents must comply with the General Data Protection Regulation (GDPR), among others. Beyond compliance obligations, organisations should establish clear data breach response strategies to react promptly and effectively to any cybersecurity incident involving potential data breaches.

The Singapore PDPC’s guide on “Managing and notifying data breaches” outlines the CARE framework, which consists of four steps an organisation can take when encountering data breaches: 

• Contain: As with any incident response protocol, a data breach must be contained to curb the damages and prevent the escalation of the threat. 
• Assess: This next step involves the organisation assessing the impact of the data breach and its remediation approach including assessing if the breach is a notifiable one. 
• Report: Once determined that the breach is notifiable, the organisation must notify the relevant entities and affected individuals. Failure to comply with these data breach laws and notification requirements may result in enforcement actions against the organisation and consequently, penalties incurred. 
• Evaluate: The last step of the CARE framework involves evaluating the data breach response efforts, refine and improve strategies to strengthen defence against future data breaches. 

Handling data breaches is a complex challenge that requires organisations to possess robust technical expertise. The actual procedures extend beyond the details outlined above and there are many more details organisations need to be aware of. At Ensign, our Digital Forensics and Incident Response teams excel in swiftly containing cybersecurity incidents, effectively minimising our clients' data loss and financial impact. 

How to Prevent Data Breaches? 

Establish a Data Breach Management Plan 

In addition to complying with legal regulations, organisations should implement a data breach management plan. This plan ensures preparedness for data breaches, effective response, and fosters trust with stakeholders. Referring to the PDPC’s Data Protection Management Programme (DPMP), it outlines four steps that organisations can consider when establishing a robust data protection foundation. 

Adopt Data Security Measures 

On top of having a clear data breach management plan and response protocols, there are strategies organisations can consider implementing to strengthen data breach prevention: 

• Data classification: Refers to organising data into relevant categories for easier use and protection. This process facilitates proper security responses depending on what type of data is being retrieved, transmitted or copied. 
• Data protection: Shields sensitive data from corruption, compromise or loss as well as the ability for organisations to restore the data. This may be done using security tools such as endpoint security solutions, Data Loss Prevention (DLP) systems and data encryption tools. 
• Zero Trust adoption: Implement Zero Trust Architecture (ZTA) by applying identity-based controls to continuously validate every user and device accessing network resources, enforcing strict least privilege access based on their responsibilities. Network segmentation is also essential to limit unauthorised access and prevent lateral movement. Effective Zero Trust measures require comprehensive data visibility, which can be supported by technologies such as Security Information and Event Management (SIEM) and Identity and Access Management (IAM) solutions. 

Third-party Risk Management 

Given the growing threat from attackers targeting third-parties, organisations should perform cyber risk assessments when selecting their vendors or partners. Monitoring third parties’ security controls ensures data security, and promptly addressing any vulnerabilities that arise is crucial. Additionally, organisations should include cybersecurity data breach clauses in contracts and limit the data provided to third parties to minimise the risk of data breaches. 

Comprehensive Data Protection: Ensign’s Data Loss Prevention Suite 

Data breaches, regardless of if they are accidental or intentional, can lead to hefty fines. Enhanced data security posture can help mitigate such financial risk to your organisation. 

Our Data Loss Prevention (DLP) Suite enables organisations to secure data in-use, data in-motion, and data at-rest across endpoint, network, storage and in the Cloud. It detects and prevents potential critical data leaks or breaches. Beyond safeguarding sensitive data and intellectual property, we ensure that your organisation complies with PDPA and GDPR requirements. Our DLP process is continually enhanced to address the evolving threat landscape, ensuring your organisation is protected against data breaches and exposure. 

Learn more about our Data Loss Prevention (DLP) Suite.