by Lim Seng Siew, Director OTP Law Corporation
Introduction
The most recent Singapore Cybersecurity Landscape Report 2021 lists phishing attempts as one of the more prevalent methods of cybersecurity attacks. What is phishing? What are the consequences if I have been wrongfully used to launch a phishing attack? And what can I do to avoid being a victim of a phishing attack?
In this first part, we will talk about what happens if you are a victim of a hack.
What is Phishing?
Phishing is a method hackers use (a) to fraudulently obtain a victim’s personal and financial information such as their login details, bank account numbers and credit card details; (b) to cause a victim to transfer money to the hacker; or (c) to cause malware to be installed. The hacker disguises himself as a legitimate individual or reputable organisation (such as a lawyer or law firm) in emails, instant messaging, and other communication channels to trick the victim. Once the hacker obtains the victim’s personal information, they could gain access to the victim’s online accounts, and even impersonate the victim to scam the people around the victim, such as their family, friends, and business partners.
Closely related to phishing is spoofing. Spoofing is when a hacker makes use of computer techniques to trick even computer systems and their users by hiding or faking the hacker’s true identity. The email may look as if it is from a legitimate server but is in fact not.
Consequences to an organisation if they are used to launch a phishing attack
Of course, if an organisation’s systems have been hacked and subsequently used as an intermediary to launch a phishing attack onto others, its reputation will be affected and customers’ and business partners’ confidence in the organisation’s ability to keep their customers’ information confidential will be called into question. Rebuilding that reputation will take much time and resources.
In addition, where the cybersecurity incident or data breach involves personal data of a significant scale or causes significant harm, the Personal Data Protection Commission (PDPC) must be notified under the Personal Data Protection (Notification of Data Breaches) Regulations 2021 (“NDBR”). A breach can occur even if no data is stolen (or exfiltrated). A breach occurs so long as personal data is wrongfully accessed or used. If the PDPC finds that the organisation had not taken reasonable steps to secure personal data, the organisation can face a financial penalty of up to S$1m or 10% of its annual Singapore turnover, whichever is the higher limit.
Under the NDBR, the data breach is of a significant scale if it involves personal data of 500 or more individuals (who can be customers, staff, or other parties) and causes significant harm if it involves a prescribed list of personal data. Such prescribed personal data includes (a) an individual’s name, login identities, passwords, or similar information, (b) financial information; (c) health information; (d) information concerning vulnerable individuals such as children, young persons, vulnerable adults, or adoptees.
In the next part of this series, we will discuss about what to do if you are a victim of a hack.
If you have a need to seek legal advice on your cybersecurity situation or just require legal assistance in any way, please reach out to us at enquiries@otp.sg or +65 64383922.