What Business Owners Can Learn From the AKPK Breach

Breach News

What happened?

Agensi Kaunseling dan Pengurusan Kredit (AKPK –  Credit Counselling and Debt Management Agency) had its servers (which contain customer data) illegally accessed. AKPK announced the discovery of this cybersecurity breach on March 30. One month later (April 26), Athe agency determined that some data exfiltrated by the cybercriminals was published on the dark web.

Who (or what) is AKPK?

An agency established by Bank Negara Malaysia (the Central Bank of Malaysia), AKPK helps individuals take control of their financial situation and gain peace of mind that comes from the wise use of credit. It is a community service to help Malaysians who seek financial advisory get their finances on track.

How many people were affected?

Approximately 20 customers have had personal information – names and National 

Registration Identity Card (NRIC) numbers published. AKPK is anticipating that the criminals will publish more information including additional customer names and NRICs in the coming days and months.

Why did it happen?

Currently, AKPK has not disclosed the root cause of this breach. As this is an ongoing investigation, expect more details to unfold.

What did they do right?

The agency should be commended on several fronts:

  • Its transparency in communicating the breach through media statements (how many customers were impacted, security updates, remediation, PSAs and FAQs, etc.)
  • Assisting affected customers
  • Working closely with law enforcement and other relevant authorities
  • Working to fortify its cyber defences and forensically reviewing its systems
  • Taking some of its operational systems offline temporarily to prevent further risks

All in all, AKPK’s response is a case study on how organizations can respond in the event of a data breach.

What lessons can we learn and apply?

The AKPK breach highlights the risks associated with storing vast amounts of personal data and the potential impact of a breach on individuals’ privacy and financial well-being. Data breaches are not an “if” but a “when”, so organizations must be prepared with a breach response plan.

The breach is a showcase of AKPK’s breach response plan put to use – it demonstrates the importance of timely reporting of data breaches to affected individuals and authorities. Prompt and transparent communication can help mitigate the damage caused by a breach and rebuild trust with customers.

Here are several recommended practices as they strengthen their security posture:

  • conduct cybersecurity assessments and audits
  • integrate security into the development lifecycle
  • implement a DevSecOps pipeline that fosters collaboration between development and security teams

By following these best practices, businesses and agencies can take proactive steps to protect their valuable data and prevent costly data breaches.

Putting the Sec in DevSecOps

The post What Business Owners Can Learn From the AKPK Breach appeared first on GuardRails.

*** This is a Security Bloggers Network syndicated blog from GuardRails authored by GuardRails. Read the original post at: