Call for reassurance on mishandled data
Khairul Khalid 
CIMB confirms that that no authentication data was in the lost tapes

THE recent accidental loss of backup tapes by CIMB Group Holdings Bhd has alarmed the financial sector and public.

It has raised fresh concerns about the safety of personal and sensitive data stored with banks that could be easily compromised if mishandled.

Although CIMB has reassured customers that no critical data was lost, there are worries that other banks could also be exposed to similar incidents if proper systems are not implemented.

The public wants reassurance that such incidents will not recur. What are the authorities and regulators doing to address the issue?

Failure to nip the issue in the bud will certainly erode consumer confidence in the banking system.

As it is, CIMB shareholders may already be feeling jittery following the incident.

After its announcement on the backup tapes’ loss, the counter closed lower at RM6.13 on Nov 13 from RM6.18 on Nov 10. The stock continued its decline to close at RM5.92 on Nov 16.

A senior information technology (IT) manager at a Malaysia-based foreign financial institution tells FocusM that Bank Negara Malaysia, as the regulator, must impose stiffer fines on errant banks to prevent occurrences like this from ever happening again.

“If Bank Negara is just going to reprimand the banks involved [in mishandling data] with just a slap on the wrist, potential recurrence is high.

“If the same thing happened in other countries, the authorities would’ve likely grilled the banks and imposed a hefty fine.

“Compared to the US or Europe, for example, local banks are seldom hit with legal action either by consumers or regulators when there are data breaches,” says the senior IT manager.

He says the incident should not be blamed on any lack of policies, procedures or processes that are in place.

“When Bank Negara audits a foreign financial institution, its best practices are shared with local banks, and where applicable are mandated for full compliance, if it’s not cost prohibitive.

“I believe, in this instance [CIMB], it’s a case of lacking oversight on vendor management or third party outsourcing, monitoring and early detection of the breach,” he says.


Restoring faith

The senior IT manager says the key to restoring customer faith after a data security crisis is clear — quick communication to customers to prevent erosion of trust.

In this case, CIMB can be commended for its rapid response and communications to customers.

Nevertheless, he regrets the fact that public understanding of cybersecurity issues is still limited.

“I don’t think the fallout from this security breach will be dramatic since it is localised and customer awareness levels are mediocre at best,” he says.

On Nov 13, CIMB revealed that several of its magnetic tapes containing backup data was lost in transit during routine operations.

It assured the public that no authentication data such as PIN numbers, passwords or credit card-related information were contained in the lost tapes.

The second-largest bank in Malaysia also says its ongoing assessment showed no evidence of compromised data, and that it is working with the authorities and taking measures to protect customers.

CIMB has also heightened security measures across all its channels, including temporarily suspending some services via its call centre.

This includes requests for change of address, telephone number, and or email address for banking/credit cards, third party fund transfer or payment for customers without T-Pin, and T-Pin creation or requests.

Bank Negara says precautionary and mitigatory measures have been taken to reduce possible impact from the lost tapes. It advises the public to be vigilant in safeguarding their personal information.


Isolated case

Another senior IT manager at a local bank believes CIMB’s lost data is unlikely to affect market confidence because it is an isolated incident.

“The issue is not about data security per se. It is more of a tape transit issue.

“As CIMB’s report says, there is no security data on those tapes (ie PIN number/passwords), so there won’t be any financial impact on customers,” he says.

He suggests that one way to keep a closer eye on tape transits is for banks to do it themselves, instead of relying on third parties.

“Most of the banks engage third-party vendors and movers for tape transit. So we may need to have a stricter selection of vendors or have our own staff do it,” he says.

Nevertheless, he also feels that no security measures taken by banks will be 100% foolproof due to fast-evolving technology and the persistence of hackers.

“In terms of data security, I’m sure all the banks have taken necessary action to secure their customers’ data.

“In fact, every bank has its own IT team to ensure that the best data security features are implemented.

Having said that, he says fraudsters and hackers will continue to try and breach the bank’s security systems for monetary gain.

“Banks will have to continuously look for new technologies to overcome and mitigate such attacks,” he says.

Encryption secures backup tapes

THE loss of several CIMB magnetic tapes is certainly a cause for concern, especially surrounding customer information and whether or not it poses any security risk for the bank and its customers.

While losing the tapes is upsetting, the bank’s customers might not need to be too worried about it being a security risk.

It is also worth noting that there are security measures in place for the data stored in this magnetic tapes.

Fong Choong Fook who founded cybersecurity firm LGMS, says the data in magnetic backup tapes are encrypted and have no catalogued indexes, thus making them really hard to read.

“Imagine the data as multiple split ZIP files – getting some of the ZIP files instead of the complete set may not lead you anywhere because the data are compressed, encrypted and distributed into separate physical copies.

“So even if someone gains access to these magnetic tapes, they may not be able to properly read the data,” he says.

Fong says other factors that will make reading the data unfeasible, include the fact that devices to decipher the magnetic tapes come at a five-figure price, and are not something that can be purchased off the shelves.

Following the incident, CIMB has said it does not need its customers to perform any specific actions. Nonetheless, it encourages CIMB customers to follow these best practices:

▶ Be vigilant and keep your card, PIN, CIMB Clicks ID and password safe at all times.

▶ Do not give your account/card/password details or TAC information via call/SMS/email to anyone who positions themselves as your bank or a regulator or telco.

The bank or banking industry regulators will never ask for such details over the phone or through SMS or emails.

Fraudsters may deploy scare tactics or even be aware of your personal details, so it advises customers to please not listen or act on what any outside party’ says, and to rely only on good banking practices. If in doubt, contact CIMB.

The bank encourages its customers to continue being vigilant, and if anyone receives suspicious calls, SMS or emails, they should end the call immediately and contact the bank for clarification.

While it may not be a serious matter, for now, there’s no harm in being cautious. – Tan Jee Yee

This article first appeared in Focus Malaysia Issue 259.