Earlier this month, approximately 20 million South Koreans (almost half of the country’s population) learned that their names, social security numbers and credit card details had been illegally copied and sold to marketing firms.
This particular data breach demonstrates that, whilst many of the most high-profile (and costly) data breaches and IT glitches have affected organisations in the US and Europe, organisations located elsewhere in the world should beware; indeed, the frequency, and severity, of data breaches and IT glitches is increasing, particularly significantly in a number of Asia’s tiger economies.
The statistics do not lie
Statistics published by the Hong Kong government1, indicate that the number of computer crimes perpetrated in Hong Kong doubled between 2009 (1,506 crimes) and 2012 (3,015 crimes). During the same period, the financial losses suffered by Hong Kong companies as a result of computer crimes increased by a factor of 7.5, from HK$45.1m (£3.5m) to HK$148.52m (£26.7m).
Likewise, research conducted by the Ponemon Institute2 in March 2012 suggests that cyber crime cost businesses in Singapore an estimated S$1.1bn (£530m) in 1st and 3rd party losses during 2010; and that in India, notwithstanding the considerably lower costs of doing business there, the average financial loss suffered by a companies experiencing a data breach is $1.1m (£670,000).
To give come context to those figures, we summarise below the facts of some of the most notable data breaches and IT glitches to have affected Asian businesses recently.
Hackers and “Hacktivists”
- In August 2011, trading in the stock of seven blue-chip companies (including HSBC and Cathay Pacific) was suspended after hackers had broken into the Hong Kong Stock Exchange news website shortly after the affected companies had released price-sensitive information
- In 2012, two hackers were arrested in South Korea for illegally obtaining details of almost 9 million subscribers to a mobile phone network, KT Mobile
- In November 2013, “Anonymous Philippines”, a group of political “Hactivists” based in the Philippines, leaked a list of 17 governmental websites they had hacked to several Asian news agencies
- In December 2013, two brothers operating under the pseudonym “the Messiah” were arrested in Singapore for hacking the websites of the Singapore Prime Minister’s office and of the Straits Times, one of the country’s leading newspapers. The police’s subsequent analysis of the Messiah’s laptop revealed that it contained bank statements of 647 of Standard Chartered’s private banking clients that had been stolen earlier in the year from a server at an independent contractor, which the bank had hired to print those statements.
Debit card fraud
In January 2012, 2,700 customers of DBS Bank, a major Asian retail bank headquartered in Singapore, had their debit cards cloned as a result of a security breach at two cash machines. The bank promptly repaid over S$500k (£250k) to the affected customers. Such instances had previously been fairly rare in Singapore and the much greater (albeit undisclosed) cost to DBS was the reputational damage and the cost of increasing the security of its debit cards.
- A number of glitches in the hardware systems of Bursa Malaysia, the operator of the Malaysian stock exchange, have reportedly cost the exchange to suffer hundreds of thousands of pounds in lost commissions since March 2007
- In Singapore, in August 2010, an IT glitch caused DBS Bank’s network of cash machines to be shut down for seven hours and its internet banking service to be shut down for nine hours. The bank had previously outsourced responsibility for that particular area of its IT system, although Singapore’s financial services regulator, the Monetary Authority of Singapore, nonetheless censured DBS for “shortcomings and inadequate management oversight by the Bank of its outsourced IT systems” and ordered it to deposit S$230m (£115m) with the Monetary Authority. Quantifying the return DBS would have otherwise earned on that sum is difficult, but on any analysis it would have been substantial
- In October 2013, M1, a Singapore telecommunications company, was fined S$1.5m (£750k) by the local telecommunications regulator for a mobile telephone service outage which affected 250,000 of its customers for over two days. The outage was caused by manual errors by individual personnel who were working on upgrading M1’s electrical systems.
- In May 2008, HSBC in Hong Kong lost a computer server containing the transaction data of 159,000 account holders. Many of the affected customers moved their accounts to other banks
- In 2009, a USB flash drive containing patients’ personal data and medical records was lost by a doctor at the United Christian Hospital in Hong Kong.
The insurance perspective
In view of the above, it is hardly surprising that businesses across Asia are becoming increasingly concerned about the risks of data breaches and of their potentially significant, consequences.
It is not all doom and gloom, however. Insurers in the Hong Kong and Singapore markets are increasingly developing innovative policies to enable businesses of all sizes, and across all sectors, to insure against the risk of many of the above situations arising.
At one end of the spectrum, businesses can purchase a bespoke policy designed to respond to one or more specifically agreed risks. At the other end of the spectrum, insurers are able to offer their clients much broader “all risks” coverage aimed at responding to all first and third party losses (provided that they are insurable at law) flowing from a data breach or an IT glitch. Businesses interested in exploring the available insurance solutions should contact their insurance broker.