Not everyone who wanted to buy the bank cards stolen from Southeast Asian owners would pay the same price: The higher the amount of money left on the card, the higher the price. That's according to Technisanct, a cybersecurity company based in India, which said it found the data for hundreds of thousands of cards for sale online, taken from citizens in the six largest nations in Southeast Asia.
The card theft comes as statistics show cybercrime is on the rise across all the Association of Southeast Asian Nations, prompting local calls for more stringent regulations and protocols to fight the trend.
"The results are alarming as it seems no one is aware that such a huge volume of payment card details, including the CVV (card verification value) and PIN, are available," said Nandakishore Harikumar, chief executive officer of Technisanct.
The company said its researchers found that more than 300,000 stolen card accounts were being sold on the internet last month. It said the accounts belonged to customers in Indonesia, Malaysia, Philippines, Singapore, Thailand and Vietnam.
The leaked information is just the latest instance of a region-wide trend, and ASEAN is paying the price. IBM Security commissioned research, released in the 2019 Cost of a Data Breach Report, which assessed impacts for the global economy.
Between 2018 and 2019, the ASEAN region saw a cost increase in all of the key indicators measured by the researchers, namely the average size of data breaches, the average total cost, and the average cost per piece of data that is breached.
The leak also coincides with what security researchers say is an increase in global cyberfraud by criminals exploiting the COVID-19 virus emergency. Hackers this month went after the website of the U.S. Health and Human Services Department, as well as targeting the increasing number of people now working from home with unsecured wireless internet.
Southeast Asians' increasing awareness of cyberthreats in recent years has led to increasing regulation aimed at increasing data protection. This year, Singapore criminalized "doxxing," which refers to posting other people's personal information online, usually to threaten or embarrass them. Indonesia has proposed its first-ever data privacy law, which includes punishment of up to seven years in jail and $5 million in fines for sharing private data without consent.
Vietnam already had a cybersecurity law but has released new subsidiary regulations under that law with further guidelines. They include specifics about when websites must take down information considered to be violating the law, and which organizations must store data domestically.
"Vietnam witnessed an increase in the number of cyberattacks and data leakages in 2019, and the country has been among the top targets for cyberattacks in recent years," Pho Duc Giang, director at PwC Vietnam Cybersecurity Services Company, said.
"To leverage on growing business opportunities in the digital economy's booming period, Vietnam enterprises need to actively prepare for new challenges by adapting and complying with up-to-date" standards, he said.
Such standards go beyond what is required by the law. Security researchers recommend companies and individuals think more carefully about their behavior on the internet.
They can use software to manage their passwords —so they don't have to memorize ones that are easy for hackers to crack—as well as change the passwords for devices like their wireless routers and smart plugs, rather than use the default settings set by the manufacturer.
And as employees are working from home to combat the coronavirus, there are reports that hackers have been sending phishing emails posing as managers seeking employee log-in credentials, or as officials from the Centers for Disease Control and Prevention offering information. During this emergency and beyond, the recommendations for better online behavior could be useful both inside and outside Southeast Asia.