Digital Transformation and Government Data Breaches

Digital transformation led to many changes on a large scale. Innovative companies became the new market leaders in less than a decade. In fact, the understanding of digitalization changed in less than a decade. Everything became easier, more accessible and less time consuming to cope with. 

From paying bills online to checking highly sensitive information about yourself, everything can be done online and in just a few seconds. And it shortly became  a common practice because it’s convenient to have all your world just one click away from you.

This digitalization didn’t skip governments. It was natural to start checking administrative information online having acquired this good habit. European Commission is also encouraging this transformation working on providing guidelines to countries and organisations.

Now more and more governments have digitalised their data, facing serious improvements in terms of work efficiency, transparency and accountability.

But as we mentioned once, Digital Transformation happens too fast to be secure. And governments are no excuse. 

Although they keep high volumes of classified information, governments happen to be an easy and appetizing target to cyber criminals. 

Back in July, Bulgarian National Revenue Agency discovered a massive cyber attack, which compromised the personal data and financial records of nearly every working adult among Bulgaria’s 7 million people population.

Just a few weeks later in August, a massive data leak of over 14 Million Chilean Citizens was discovered. “The 3 GB database was hosted by Softlayer Technologies in Dallas, Texas, USA, but they are not responsible for the leak.”, was reported.

Again, the leaked database contains personal identifiable information of almost every Chilean citizen. In both Chile and Bulgaria citizen ID numbers were leaked along with the names, ages, gender and addresses of the victims. 

This data can be extremely valuable if it falls into the wrong hands. Having this information, it makes it easier to some criminals to commit: 

  • Identity theft
  • Phishing attacks
  • Financial frauds

And just a few days ago a third data breach accident concerning government holding citizen data was discovered. Ecuador’s sensitive data of over 20 million individuals (including their president) was leaked. According to researchers, one of the most concerning parts about this data breach is that it includes detailed information about people’s family members: 

“For each entry, we were able to view the full name of their mother, father, and spouse. We were also able to view each family member’s ‘cedula’ value, which may be a national identification number”

How did the data leaks happen?

The leak in Bulgarian NRA was a result of an SQL Injection and poor security safeguards. It is estimated that this vulnerability existed since 2015 and no measures were taken ever since, even though the agency were warned several times by IT consultants.

The Chile data leak occurred due to an unsecured Elasticsearch engine on an exposed server. The default setting for Elasticsearch requires no authentication mechanism since it’s meant to be installed in internal networks. If such a server is open to the internet then anyone with the IP address and port number could access it.

Ecuador’s case was similar to Chile’s. 20.8 million records, within 18GB of data, were exposed on an unsecured server located in Miami, Florida, which appears to be owned by an Ecuadorian company, according to the researchers.  The vpnMentor research team discovered this breach as part of a large-scale web mapping project they were part in. Led by security experts Ran and Noam, vpnmentor’s research team scanned ports to find known IP blocks. The team then searched for vulnerabilities in the system that would indicate an open database.

All the three cases of leaked data could create long-lasting privacy issues for affected individuals.

How to prevent sensitive data breaches

When it comes to sensitive data it is very important to ensure appropriate safeguards are in place. It’s mandatory not only to governments but also to all companies holding big records of sensitive personal data. Companies should be extra careful who has access to this data, how and why they access the data, are there any backdoors to access it. Then it should take the appropriate measures to protect the access from non-authorised parties, and if any unusual activities related to it are detected – to take measures in time. 

A good “security in-depth” approach would have prevented the data breaches. Setting up several layers of defense in case some are bypassed or misconfigured can be the breakeven in such cases. For example, if the server is misconfigured or has not been protected by firewalls then the second layer of defense ( such as password authentication) would have helped secure the data in some cases. 

  • Conduct IT Compliance audit – external experts may be able to detect vulnerabilities and suggest appropriate measures based on your organisation needs and the risk levels of your data. It is a good way to secure your systems and also demonstrate in front of the regulators that you are accountable to the sensitive data you hold.
  • Penetration Testing – you need to conduct pen testing to detect weather or not your systems are easy targets. Pen tests can help you decide where to start from, showing the most vulnerable aspects of your IT systems
  • Secure database servers –  using multi-layer encryption on your database can be a very efficient way to reduce the risk from data breach to minimum. Our product SensinelDB has been created exactly for this purpose, It is a multi-layer encrypted secure database that keeps sensitive data safe and ensures zero chance of data breaches. It also has an intuitive user interface which makes the setup and monitoring  process easy. Click here to see DEMO.
  • Accountability and due diligence: secure your audit logs. Make sure you keep unmodifiable digital evidence of every critical action so you can track back in case of investigation. We at LogSentinel have developed SentinelTrails – a blockchain-protected secure audit trail which keeps unmodifiable evidence of every business process. 
  • Third-party contracts: make sure that the third party company dealing with the servers have fulfilled Regulation and quality standards such as ISO 27001, and require regular audit on the systems they use
  • Implement appropriate access and anomaly detection rules – make sure your CISO will receive real-time notification if there is an anomaly activity. We at LogSentinel use AI-driven anomaly detection and we have developed a dashboard for setting up business-specific rules so you can keep an eye for every use case which is unusual, and take measures before it’s too late.
  • Require authentication to access all systems – ensure that all your systems require authentication. Where possible, use tho-factor authentication for more secure access. Logs of access should also be stored securely, and be part of the auditing process
  • Data integrity – make sure you keep control versions of every document change. Read 3 reasons why not to ignore data integrity.

Conclusion

Digital Transformation in 21st century is an irreversible process. Our everyday life becomes more and more digital. And governments can’t skip this. So the digital protection shouldn’t be neglected. Just like the national paper records are being kept secretly, in locked rooms, the digital equivalents should be stored carefully too. Innovative technologies should be embraced and used in  full capacity, but their security should never be left unattended.