Lessons Learned from Data Breach in Southeast Asia: Is There Light at the End of the Tunnel?

In 2019, two major data breach incidents happened at the regional level. One was Sephora, a well-known cosmetics retailer that has branches all over the world. The other was Lion Air, a well-known airline in Southeast Asia Loss of personal data is a critical issue that only a limited number of people care about it because of its effects are not immediate. The government might not be able to act promptly enough in terms forcing the business sector to take a responsibility over the incident. In this case, people can help putting pressure on the company to act, but when public understandings is largely limited in Southeast Asia, this approach will only work when the public have strong knowledge on the issue.

The Sephora incident came to the public light in late July 2019 in which eight countries in Asia-Pacific involve in the incident. Five countries (Indonesia, Thailand, Malaysia, Singapore, and Philippines) are in Southeast Asia and the other three countries are Hong Kong, Australia, and New Zealand. The breach involved personal information of around 3 million customers who have an online account with the company. After the incident broke out, Sephora offered a Personal Data Monitoring Service to the affected customers. The service was provided by Experian, a global company that is branded itself as a consumer credit reporting agency. The service is claimed to be able to provide the customers to see how far they personal information goes including the dark web. Sounds great, isn’t it? However, this is limited to the affected customers in Singapore, Hong Kong, Australia, and New Zealand only. The rest of the affected countries? They were only told to change their passwords. This can be considered as “double-standards” and of course discrimination.

A screenshot from the Sephora Thailand website when a customer tries to figure out about the personal data monitoring service.

A screenshot from the Sephora Australia website when a customer tries to figure out about the personal data monitoring service.

In September, Lion Air and its three subsidiaries encountered a massive data breaches incident in which personal data containing sensitive information of around 35 million customers have been leaked. The subsidiaries include Malindo Air, Thai Lion Air, and Batik Air. Malindo Air and Thai Lion Air are reported to get the most effects. Not much information is available for the last one. Malindo Air, as an international airline, is the only airline in the incident that has issued press statements, while Thai Lion Air has not done anything. Nothing regarding the incident appears on the website as well as its social media channels. Malindo Air also gets the most attention from press. The fact that the airline flies to Europe where one of the strictest laws on personal data protection in the world exists might play a part in the company’s response.

This is an ugly thing to say, but it really sounds like if you are born in a region where no one genuinely cares about personal data protection like Southeast Asia, people have to deal with discrimination and the danger from our data being exposed to public by ourselves. Our security can rely so much on the law on personal data protection in the country. Strong law enforcement can protect people’s personal data by forcing a business to secure their cybersecurity and not to do anything considered as data exploitation. When there is a data breach, we often cannot do much about it. The leaked data can have long terms effects on the individual whose personal data is leaked. They can be sold commercially on the dark web or used for criminal activities such as identity theft and electronic fraud among others.

Moreover, governments in countries in the region also have not made enough efforts to protect personal data of their people from human rights approach. This is seen in their practices and the existing laws on personal data protection in countries throughout the region. Many companies that experience data breach usually get away with the incidents without being fined or interrogated. One important aspect that can be addressed here is the lack of mechanisms such as a watchdog at both national level and regional level and a court of justice that can deal with the incident at the regional level. Lack of mechanisms leaves a loophole for the companies to be held accountable for the incident and handle the effects without discrimination.

In the case of Sephora, the online database is taken care of under the company’s office that is registered in Singapore. Since Singapore has paid serious attention on personal data protection recently, the company might be held responsible. However, it is unlikely that the company will be affected from any law and legislation for treating their customers discriminately based on their locations. In the case of Lion Air, the scale of the issue involves three governments which are Indonesia, Malaysia, and Thailand. Lion Group is registered under the Indonesia laws, while Malindo is registered in Malaysia and Thai Lion Air is under Thai law. As it is already shown, the companies do not handle the situation in the same way.

What Southeast Asia needs is a unified data protection regulation at the regional level that can protect people’s personal data at the same level as General Data Protection Regulations (GDPR) of the European Union. When the interpretation of data protection is the same throughout Southeast Asia, the incident of regional data breach like Sephora and Lion Air is likely to be handled in the way that people are treated the same regardless of which countries they are from. It forces business to comply with the regulation otherwise they can be fined and lose business opportunities. It is also in need of a regional mechanism like a watchdog or a court of justice like previously mentioned to make the enforcement to happen. However, given the situation in Southeast Asia, there is still a lot to be done.

Having the data protection law that are concern about human rights in the same level as GDPR will benefits the region in different ways. Countries in the region have been alerted on the issue of data protection since the adoption of the GDPR, but none of them still cannot come up with the national law on data protection that is equivalent, given political repression that still looms large throughout the region. Also, even though the laws on data protection exist in some countries, the enforcement is not serious enough to hold the companies responsible. Usually, we are told to change our passwords, but nothing much is revealed from the company’s side regarding what it would do in terms of investigation, how the incident happens, and future prevention.

Sephora and Lion Air are unlikely to be the only two companies that their databases are not secured enough. When our lifestyle these days involve technology so much as seen in the popular use of e-commerce sites like Lazada and Shopee or mobile applications like Grab, Get, and Food Panda; we have to be careful in terms of learning how to protect ourselves. We might have to let go of some convenience in this case e.g. not allow e-commerce websites to remember our credit card numbers or choose to pay with cash after the service is complete. Health sciences authority leak of aids registry can affect employment and livelihood of many. SingHealth data breach subjects people to potential blackmail or something as key  as loss of health insurance coverage.

In the age where data is like gold, human security can also depend so much on data protection. The world is moving forward by data. If countries in the region still overlook the real importance of data protection, it is likely that they will be lag behind.

This article is published under Creative Commons license CC-BY-NC-ND 4.0.

Latest Updates

April 2, 2020
TraceTogether: Not Easy to Verify the State’s Privacy Claims
Update as of May 7, 2020: Some of the content in this article is outdated. The ‘reference implementation’ of the BlueTrace protocol called OpenTrace has been […]
July 9, 2020
Press Release: 18 Organizations Request the Philippine Government to Protect People’s Privacy in Its COVID-19 Contact Tracing Efforts
PRESS RELEASE For Immediate Release: 09/07/2020 18 Organizations Request the Philippine Government to Protect People’s Privacy in Its COVID-19 Contact Tracing Efforts Manila/Bangkok – In an […]
June 30, 2020
Press Release: Indonesia Government must protect people’s privacy during Its COVID-19 contact tracing efforts
 PRESS RELEASE For Immediate Release: 30/06/2020 Indonesia Government Must Protect People’s Privacy during Its COVID-19 Contact Tracing Efforts Bangkok/Jakarta – In an open letter to the […]