Expert Insight: Bykea Delivery Svc. Unencrypted Server Leaks 400 Million Customers’ Data

Free Services to help you during COVID-19 Learn More

Support Request a Demo Contact Us Blog
Business Data Breach

Security Experts | Informationsecuritybuzz.com » 

Asian delivery and rental company Bykea exposed its production server information and allowed access to over 200GB of data containing more than 400 million records showing customers’ full names, locations and other personal information.

EXPERTS COMMENTS
Saryu Nayyar

| February 01, 2021

Saryu Nayyar, CEO, Gurucul

While exposing the infrastructure made their environment vulnerable to a range of attacks.

The reported data breach from Bykea in Pakistan is not so much a breach as a lapse of basic system administration standard practices. Leaving a server accessible to the open internet with no authentication and no encryption is almost hard to imagine in 2021. Here, a misconfiguration has revealed customer, business, and employee information that could easily be used for social engineering, identity theft, and other attacks. While exposing the infrastructure made their environment vulnerable to a range of attacks, including data theft and ransomware.

This highlights how important following industry best practices is for basic administration tasks, let alone for information security. Fortunately, there are a range of tools that can help prevent these lapses, from system automation tools in the SysAdmin world to security analytics on the security side.

 

| February 01, 2021

Chloé Messdaghi, VP of Strategy, Point3 Security

In 2021 encryption should be a no brainer.

This is a case study in why every government needs to step in and enforce some fundamental data privacy protection legislation with penalties. Not too long ago, attackers deleted this company’s customer data base – but they had backups and were back in business.

Now, because of a failure to practice fundamental encryption to protect their customers’ data, some 400 million peoples’ financial, location, national identity cards and personal data has been exposed, and their lives are likely to be upended at some point.

In 2021 encryption should be a no brainer. The first step must be better regulation governing all organizations collecting financial data and requiring them to use encryption. That mandate must come from all national governments large and small, with superpowers such as the US taking a lead, and with Zero Trust policies enforced as well.

Here in the US, we also lack requirements of businesses that reflect the practices mandated by the EU-US privacy Shield and GDPR. It’s past due time, and until our legislators take strong and informed actions, people are only going to continue getting hurt.

 

| February 01, 2021

Tom Garrubba, Senior Director and CISO, Shared Assessments

Bykea has not learned much from their previous (September 2020) cyber incident.

It is hard to believe that with the ever-increasing threat of a cyber-attack, there would be such a careless disregard of basic cyber hygiene. On the surface, the lack of establishing or even following documented security hardening standards, providing basic encryption of customer and proprietary data, and the disregard of generally accepted IT operational best practices, provides evidence that Bykea has not learned much from their previous (September 2020) cyber incident. I would hope that this new “wake up” call does not come too late for Bykea who may start to see competitors exploiting this latest incident for their own benefit by chasing customers who are disgruntled that Bykea has historically acted so carelessly with their data.

 

External Link: Expert Insight: Bykea Delivery Svc. Unencrypted Server Leaks 400 Million Customers’ Data

Share this page:

Related Posts