HKCert
Security Blog

The die was cast: Always handle customer information with caution

Release Date: 29 / 11 / 2018
Last Update: 29 / 11 / 2018

Again, another data leakage incident was found from a famous credit scoring company in Hong Kong. Someone might obtain your credit scoring report by abusing your personal information e.g. HKID, and pass the authentication process easily. 

 

Failed to protect customer information is a fatal mistake for organizations. Negative impacts are expected from this failure. Legal liability, damage corporate reputation and financial impact are some of these examples.

 

HKCERT urges organizations should exercise both Due Care and Due Diligence to protect their customer information. To improve and enhance the data protection and security measures to prevent and detect unauthorized access and data breach.

 

Due Care

At the stage of application design, organization should perform risk assessment based on its business nature, e.g. what data will be handled by this application, what is the impact if these data were disclosed accidentally, what corresponding security controls organization should use to mitigate these identified risks. etc.

 

Due Diligence

Organization should also review security risks and if these risks can be managed regularly, e.g. Security assessments. Protecting customer information is NOT a project with end date, it should be a routine. Cyber criminals is more and more mature and their attacks can be sophisticated. To cope with these evolving security risks, organization should keep improving their information security capabilities, e.g. improve the application security, train the staff to handle latest security threats and review the vulnerabilities from business process etc.

 

Prevention is always better than cure. Protection of customer information is a part of Information Security. Fulfilling requirements of information security requires a lot of resources, and it should be endorsed by senior management. Organizations should expect that more and more Laws and Regulations on data protection and information security may come soon, e.g. General Data Protection Regulation (GDPR).