
The hazards which BRIMA has been pointing out to our society and state institutions since 2016 have materialized this week as a heavy data breach of sensitive data causing damage to all the active population of Bulgaria. We have organized and actively participated in a row of events on that cyber risk management topic and provided valuable input to the public opinion and to the state authorities.
The biggest Bulgarian personal data breach has now been confirmed as a fact. There are 57 folders, containing in excess of 1000 files, which hackers sent on Monday- 15/07/2019 to the media in Bulgaria. “Kapital”, a local news provider, appears to have received databases containing more than a million entries containing various personal information details such as addresses, names, and in some cases- earnings. The reality of this leak has been confirmed by numerous reports, which found data matching across varying journalistic sources.
It is a time of awakening to the seriousness of presiding European data privacy and data protection legislation. The consequences of leaks and data mishandling are becoming more dire, but more obvious as well. Just in the last month we have witnessed data breach- related fines. There were such sanctions issued to British airways (in excess of £180 million), to the Mariott Hotel Group (Approximately £100 million), Haga Hospital (€460 000) and even closer to home- UniCredit in Romania was fined in excess of €130 000. Now, with such a large amount of data being taken from the Bulgarian Revenue Agency, is the time for the local Data Protection Agency to set an example and underline the seriousness of dealing with, and mishandling, the data of European Citizens and Residents.
Naturally, this all raises one question- how does such a wide variety of large, certainly “serious” organizations get the “safe handling” of such data so very wrong? As long time providers of cyber risk management services- our observations point to a lack of understanding of what cyber risk management should entail, leading to inadequate preparation of cyber safety and security measures and policies.
The biggest Bulgarian personal data breach has now been confirmed as a fact. There are 57 folders, containing in excess of 1000 files, which hackers sent on Monday- 15/07/2019 to the media in Bulgaria. “Kapital”, a local news provider, appears to have received databases containing more than a million entries containing various personal information details such as addresses, names, and in some cases- earnings. The reality of this leak has been confirmed by numerous reports, which found data matching across varying journalistic sources.
It is a time of awakening to the seriousness of presiding European data privacy and data protection legislation. The consequences of leaks and data mishandling are becoming more dire, but more obvious as well. Just in the last month we have witnessed data breach- related fines. There were such sanctions issued to British airways (in excess of £180 million), to the Mariott Hotel Group (Approximately £100 million), Haga Hospital (€460 000) and even closer to home- UniCredit in Romania was fined in excess of €130 000. Now, with such a large amount of data being taken from the Bulgarian Revenue Agency, is the time for the local Data Protection Agency to set an example and underline the seriousness of dealing with, and mishandling, the data of European Citizens and Residents.
Naturally, this all raises one question- how does such a wide variety of large, certainly “serious” organizations get the “safe handling” of such data so very wrong? As long time providers of cyber risk management services- our observations point to a lack of understanding of what cyber risk management should entail, leading to inadequate preparation of cyber safety and security measures and policies.
The traditional, and still globally the most- widely used approach in cyber departments in organizations, is to simply create an IT policy, and source a lot of software and hardware solutions on an opinion- based grounds. To their credit, IT departments do their best to select the “best” and “safest” solutions. This, however, has a tendency to lead to the misuse and misapplication of these very services and components.
Our team of security and exploit event researchers has more than once proven the idiom, that when using wide-spread and non- custom solutions- your data is only as safe, as the least safe company which is also using your solution. To explain that in a layman’s terms- if you happen to be a National Revenue Agency and have a mail management system, which is also used in some tiny village in the middle of nowhere- a hacker would be best served by going to said village, and working on discovering bugs and backdoors in that system, without all the risks of doing such research on the Revenue Agency itself. This would allow a hacker/hacking group to have an attack vector tested and ready, before ever even trying to do anything with the actual Revenue Agency. All they have to do then, is take the process perfected in the village, and go to apply it at the actual target’s location/system.
Unfortunately, having completely custom systems built, from hardware, to Operating Systems, drivers, Word Processing and all other programs and solutions, would be prohibitively expensive for the large majority of large (multi-billion-dollar) corporations and governments(top 20 economies). It would also be entirely impossible for all smaller (non-billion-dollar) enterprises and governments (below the top 20 economies).
What, then, would the ideal solution be? The only reasonable approach, is to use effective cyber risk analysis and management. Each system, each computer, server, phone, and other logical device in a given organization should be included in a risk management process. Unlike most other kinds of risk, most cyber risks cannot be completely mitigated, regardless of whether your experts know how. While tampering with the source code of Microsoft products (for example), just so you can eliminate known bugs, back doors and weaknesses may seem like a good idea- it would end your company in a legal battle with one of the world’s biggest corporate giants. A quality cyber risk analysis, however, would allow you clear understanding of the present risks in software given in the example above, along with such risks for every component in every system a corporation, or government organization has. Once aware of all these, and the solutions existing for preventing/avoiding/mitigating the particular combination of risks the organization in question could face- only then does the time to actually start creating an IT policy come.
Without a proper cyber risk analysis, which takes into account the maximum possible amount of events, with a controlled update cycle - any IT policy is simply taking shots in the dark, hoping you will not miss anything that might shoot back. While it is only our personal experience, we are finding that a 30-month database purge cycle, with a +110 000 000 entry cyber risk and threat database provides a sufficiently strong starting point for clients to create informed IT policies.
Ignorance of cyber risk management can be compared to the simple example of bad maintenance of any machine or internal combustion engine of a car. It needs change of lubricating oil and some filters on a regular basis, as well as fine tuning. If the maintenance does not occur in the appropriate intervals and by qualified experts, the engine may still run for a certain period, but surely it will be lost due to gross negligence.
Why is all of this important in data privacy legislation? Because of the much-vaunted term of “privacy by design”. It means being aware of what could go wrong, before you throw your IT department together “blindly”. And that, means having an experienced risk manager, with a BRiMA membership, and access to the top cyber risk management resources on the continent, who can help you make sure your IT policy is not just a “shot in the dark”.
BRiMA Cyber Risk Management Team
Our team of security and exploit event researchers has more than once proven the idiom, that when using wide-spread and non- custom solutions- your data is only as safe, as the least safe company which is also using your solution. To explain that in a layman’s terms- if you happen to be a National Revenue Agency and have a mail management system, which is also used in some tiny village in the middle of nowhere- a hacker would be best served by going to said village, and working on discovering bugs and backdoors in that system, without all the risks of doing such research on the Revenue Agency itself. This would allow a hacker/hacking group to have an attack vector tested and ready, before ever even trying to do anything with the actual Revenue Agency. All they have to do then, is take the process perfected in the village, and go to apply it at the actual target’s location/system.
Unfortunately, having completely custom systems built, from hardware, to Operating Systems, drivers, Word Processing and all other programs and solutions, would be prohibitively expensive for the large majority of large (multi-billion-dollar) corporations and governments(top 20 economies). It would also be entirely impossible for all smaller (non-billion-dollar) enterprises and governments (below the top 20 economies).
What, then, would the ideal solution be? The only reasonable approach, is to use effective cyber risk analysis and management. Each system, each computer, server, phone, and other logical device in a given organization should be included in a risk management process. Unlike most other kinds of risk, most cyber risks cannot be completely mitigated, regardless of whether your experts know how. While tampering with the source code of Microsoft products (for example), just so you can eliminate known bugs, back doors and weaknesses may seem like a good idea- it would end your company in a legal battle with one of the world’s biggest corporate giants. A quality cyber risk analysis, however, would allow you clear understanding of the present risks in software given in the example above, along with such risks for every component in every system a corporation, or government organization has. Once aware of all these, and the solutions existing for preventing/avoiding/mitigating the particular combination of risks the organization in question could face- only then does the time to actually start creating an IT policy come.
Without a proper cyber risk analysis, which takes into account the maximum possible amount of events, with a controlled update cycle - any IT policy is simply taking shots in the dark, hoping you will not miss anything that might shoot back. While it is only our personal experience, we are finding that a 30-month database purge cycle, with a +110 000 000 entry cyber risk and threat database provides a sufficiently strong starting point for clients to create informed IT policies.
Ignorance of cyber risk management can be compared to the simple example of bad maintenance of any machine or internal combustion engine of a car. It needs change of lubricating oil and some filters on a regular basis, as well as fine tuning. If the maintenance does not occur in the appropriate intervals and by qualified experts, the engine may still run for a certain period, but surely it will be lost due to gross negligence.
Why is all of this important in data privacy legislation? Because of the much-vaunted term of “privacy by design”. It means being aware of what could go wrong, before you throw your IT department together “blindly”. And that, means having an experienced risk manager, with a BRiMA membership, and access to the top cyber risk management resources on the continent, who can help you make sure your IT policy is not just a “shot in the dark”.
BRiMA Cyber Risk Management Team