Lessons from AXA's data breach, Latest Views News - The New Paper

Lessons from AXA's data breach

This article is more than 12 months old

Customers affected by the recent data breach should take precautions

An obvious concern with data breach incidents such as the latest one involving AXA Insurance in Singapore is the threat of phishing.

Phishing refers to fake emails or SMS messages aimed at exposing account credentials and other personal information spawned by the breach.

In this case, that threat is two-fold.

First, AXA's current and former customers whose data were stolen may be specifically targeted because their e-mail addresses and cellphone numbers were included in the stolen data.

That information is now in the hands of unknown, likely malicious, actors and may even have been sold to others via underground cybercrime sites.

Those e-mail addresses or phone numbers could be targeted with spam falsely claiming to be from AXA and would likely solicit further personal data.

Second, more people could be targeted with messages falsely claiming some sort of relationship to the AXA data breach, leveraging the heightened awareness resulting from the media attention it has received.

Such scams are almost limitless in scope.

For example, scammers could claim to be from AXA and are ''following up'' on further data security issues.

They might also claim to be from another insurance company, or a company in an unrelated business sector, reassuring customers that their data is secure.

A broader concern for AXA customers arises from a claim reportedly included in a notification e-mail from AXA

The letter indicated that AXA became aware of this data breach only recently, with the actual breach occurring ''a few'' months ago.

Thus, victims whose data were exposed may already have suffered phishing attempts related to this data breach.

Anyone whose data was exposed in this breach should change all passwords they suspect may have been exposed post-breach.

That does not just mean their AXA Health Portal password but also passwords on any other site where they may be using the same, or a similar, password.

Obviously, password reuse is a risky practice, but many do it: Now would be a good time to change that practice.

Finally, given that the data breach includes customer email addresses, it is not advisable to use e-mail as the main notification mechanism to alert customers of the data breach.

Given that little critical personal information was exposed in this breach, phishing of such victims is one of the highest risk outcomes of the breach.

This does not preclude using e-mail to notify victims of the breach, but it would be minimally prudent for that e-mail notification to include a link to an official statement on the corporate website as an
additional point of verification.

The writer is vice-president of Asia Pacific and Japan at LogRhythm. LogRhythm is a leader in security intelligence and analytics.