In this weekly overview of major security incidents, you will learn about a several cases, which lead to exposure of hundreds of GB of confidential data.

The first data incident in our list affected Finastra customers. Finastra, a financial technology firm,  experienced a cybersecurity incident. A data breach was detected on the 7^th of November. Cybercriminal got access to the company’s internal data network secured file transfer protocol. As a result of such a breach, 400 GB of data were exfiltrated from the network. A full list of compromised data is still under investigation, but initial reports indicate that malicious actor gained access to sensitive data on customers and internal documents, including:

• Transaction details.
• Financial records
• Details on company’s financial operations and services

At this moment the company experts are conducting an investigation to determine the scope and the nature of the exfiltrated data. Anyway, such incidents pose significant risk to a client’s confidentiality and the integrity of financial transactions.

The second incident in our round-up affected Bologna FC and its affiliated parties. Representatives of Bologna FC confirmed that the RansomHub group successfully stole the club’s confidential data. As a result of the ransomware cyberattack, threat actors managed to acquire a wide list of internal data. According to RansomHub group leaked data includes:

• Sponsorship contracts and sponsor details
• Complete financial data of the club's history
• Personal and confidential player data
• Transfer strategies for new and young players
• Confidential data of fans and employees
• Data on young athletes
• Medical records
• Information on structures and stadiums
• Commercial strategies and business plans

RansomHub attempted to blackmail the football club by listing examples of how leaked documents caused other teams to pay huge fines over GDPR violations. Bologna FC rejected to pay a ransom.

The final incident in the today's gathering is the exposure of personal details in 2.7 million Pakistanis. Recently details of the incident were revealed. It turned out that the leakage involved an insider factor. As it was reported by the National Database and Registration Authority (NADRA) of Pakistan, the large data breach, which took place over four years (2019-2023) resulted in the exposure of:

• Names
• Addresses
• Other personal details of 2.7 million Pakistanis

Investigators report that some of the data was sold internationally. This raises concerns about national security and citizen privacy, as such data can be used for identity theft and fraud.

The severity of data related-incidents stipulates regulators to develop and adopt specific regulations, aimed at ensuring appropriate data protection. Recently, key changes to Malaysia Personal Data Protection Act were announced.

Earlier this year, the Personal Data Protection Bill 2024 was passed in Malaysia. It introduces new changes to Malaysia Personal Data Protection Act (PDPA). There are four key changes, which are applied to Malaysian companies after the end of the consultation period earlier this fall.

1. 1. Mandatory data breach notification

Data controllers must notify the Malaysian Personal Data Protection Commissioner of suspect or actual personal data breaches. This rule is applied to breaches that contain data on more than about 500 subjects. Notification should be made within 72 hours of organization becoming aware of a breach.

2. Mandatory appointment of data protection officer

Data controllers and data processors must appoint a data protection officer if they carry out “large scale” data processing activities. Characteristics of “large scale” are defined by such parameters as the number of data subjects, the volume, range, and nature of data being processed, and the duration and geographical extent of processing.

3. Right to data portability

PDPA grants data subjects the right to request the transfer of their own personal data from one data controller to another. Data controllers have to follow a common set of technical standards.

4. Cross-border data transfer

Previously, the Malaysia PDPA used a whitelist regime that limited the circle of jurisdictions to which data controllers could transfer personal data. But in fact, no country was added to this list since the inception of PDPA. According to the new changes, data controllers are allowed to transfer personal data to any jurisdiction outside of Malaysia that has equal data protection laws or ensures an equivalent level to the PDPA.

Such legislative changes are contributing to safety of digital data usage and steady development of informational security environment around the world.

Rapid development of informational technologies leads to its widespread application in business, economics and state institutions. This leads to a growth of a digital data volume, which must be protected. Usually informational security requires costly software and hardware solutions implementation. Also, such conditions are creating necessity for a company to hire a highly qualified cybersecurity specialist to counter such threats due to the risks induced by sensitivity of the company’s information. Managed Security Service is affordable out-of-the-box solution, which provides complex protection of your data.