Information Technology

Singapore bank DBS’ second major online service outage in just over a year is “unacceptable” and indicative of its failure to ensure system availability. It now faces supervisory actions from industry regulator, Monetary Authority of Singapore (MAS), which said it placed great emphasis on the reliability of banks’ critical IT systems. DBS on Wednesday morning said via its Facebook page that access to its digital services, including its mobile payment app PayLah, was unavailable. The bank said its systems were “secure and uncompromised”, but gave no details on what caused the disruption in its initial and subsequent updates as the outage persisted throughout the day. Some customers reported being asked to reset their PIN when they tried to log into their accounts, prompting concerns of a scam. One customer said DBS should have posted a service notification on its login page and disabled all login attempts to ease such concerns. The bank’s online services were restored in the evening, about 10 hours after they went down. Noting that the latest incident came a year after a similar service outage in November 2021, MAS said DBS had “fallen short” of the regulator’s expectations to ensure high system availability and swift recovery of its IT systems. The bank had been instructed to run a full investigation so the root cause of the disruption could be identified, MAS said, adding that it would take supervisory actions once the necessary facts were established.DBS’ November 2021 service outage lasted two days and was caused by a problem with the bank’s access control servers, resulting in customers’ inability to log into their account. For the disruption, MAS had imposed on the bank an additional regulatory capital requirement totalling SG$930 million.Singapore in recent years has implemented tighter guidelines for the financial sector, as part of efforts to boost the cyber resilience of the country’s critical information infrastructures. These include technology risk management processes, such as having “strong oversight” of partnerships with third-party service providers to ensure data confidentiality as well as security controls and stress tests.RELATED COVERAGE More

Swept up in the ChatGPT craze like many others, a friend recently asked the generative AI platform who I was and to write up my personal profile.ChatGPT knew I was a journalist from Singapore who specializes in tech and that I was an old fart with more than 20 years of industry experience. Okay, it didn’t exactly say old fart, but it would have been accurate if it did.What ChatGPT didn’t get right was a bunch of pretty basic information that could easily have been found online. It shared incorrect dates of when I joined various media companies, even adding in publications I never wrote for. It listed incorrect job titles and gave me awards I never won.Interestingly, it pulled a list of articles I wrote from way back in 2018 and 2019 that were “particularly noteworthy and had a significant impact.” It didn’t explain how it assessed these for noteworthiness, but I personally didn’t think they were at all earth-shattering. What I thought would have made more sense were articles that generated a comparatively higher volume of shares or comments online, and trust me, some of the hate mail would have had a more significant impact than the ones the algorithm pulled. Also: The best AI chatbotsSo I would say my ChatGPT-powered profile is just about 25% accurate, though I wish this statement was true: “Eileen Yu is a respected and influential figure in Singapore’s media industry, known for her expertise in technology news and her commitment to journalistic excellence.” An old fart can indulge a little, can’t she?I suspect the inaccuracies are likely due to the lack of personal data ChatGPT was able to find online. Apart from the articles and commentaries I’ve written in the past, my online footprint is minimum. I’m not active on most social media platforms and intentionally so. I want to keep private information private as well as mitigate my online risk exposure.Call it a job hazard if you will, but my concerns about data security and privacy aren’t exactly unfounded. The less the internet knows, the harder it is to impersonate and the less there is to leak. Also: How to use Tor browser (and why you should)And with ChatGPT now driving even more interest in data, there should be deeper discussions about whether we need better safeguards in place.Cybersecurity threats and even breaches are now inevitable, and there are still too many that occur today due to unnecessary oversights. Old exploits are left unpatched and unused databases are left unsecured. Code changes are not properly tested before rollout and third-party suppliers are not properly audited for their security practices.More rigorous penalty framework neededIt begs the question of why companies today still aren’t doing what’s necessary to safeguard their customers’ data. Are there policies to ensure businesses collect only what they need? How often are companies assessed to ensure they meet basic security requirements? And when their negligence results in a breach, are penalties sufficiently severe to ensure such oversight never occurs again? Take the recent ruling on Eatigo International in Singapore, for instance, which found the restaurant booking platform had failed to implement reasonable security measures to protect a database that was breached. The affected system contained personal data of 2.76 million customers, with the details of 154 individuals surfacing on an online forum where they were offered for sale.In its ruling, the Personal Data Protection Commission (PDPC) said Eatigo had not put in place several safeguards, including not conducting a security review of the personal data held in the database. It also did not have a system in place to monitor the exfiltration of large data volumes and failed to maintain a personal data asset inventory or access logs. Furthermore, it was unable to establish how or when hackers gained access to the database. Also: These experts are racing to protect AI from hackers. Time is running out.For compromising the personal data of 2.76 million customers, including their names and passwords, Eatigo was fined a whopping… SG$62,400 ($46,942). That’s less than 3 cents for each affected customer. In determining the penalty, the Personal Data Protection Commission (PDPC) said it considered the organization’s financial situation, bearing in mind penalties should “avoid imposing a crushing burden or cause undue hardship” on the organization. The Commission did acknowledge a mere warning would be inappropriate in view of the “egregiousness” of the breach. I get that it’s pointless to impose penalties that will put a company out of business. However, there has to be at least some burden and due hardship, so organizations know there is a steep price to pay if they treat customer data so haphazardly. Exposing personal information can lead to potentially serious risks for customers. Identity theft, online harassment, and ransom demands, just to name a few. With consumers increasingly forced to give up personal data in exchange for access to products and services, businesses then should be compelled just as much to do what’s necessary to protect customer data and suffer the consequences when they fail to do so. Also: Best browsers for privacy and secure web browsingSingapore last October increased the maximum financial penalty the PDPC can impose to 10% of the company’s annual turnover if its annual turnover exceeds $10 million. This figure is $1 million for any other case.I would suggest regulations go further and apply a tiered penalty framework that increases if the compromised data is deemed to carry more severe risks to the victims. Health-related information, for instance, should be categorized under the topmost critical category, resulting in the highest financial penalty if this data is breached. Basic user profile information such as name and email can be tagged as Category 1, which carries the least — but not necessarily low — amount of financial penalty if breached. More personally identifiable information such as addresses, phone numbers, and dates of birth can fall under Category 2, with the corresponding higher penalty. A tiered system will push companies to put more thought into the types of data they make customers hand over just to access their services. More importantly, it will discourage businesses from collecting and storing more than is necessary. Also: The best VPN servicesThe Australian Information and Privacy Commissioner Angelene Falk, for one, has repeatedly underscored the need for organizations to take appropriate and proactive steps to protect against cyber threats. “This starts with collecting the minimum amount of personal information required and deleting it when it is no longer needed,” Falk said in a statement early this month. “As personal information becomes increasingly available to malicious actors through breaches, the likelihood of other attacks, such as targeted social engineering, impersonation fraud, and scams, can increase. Organizations need to be on the front foot and have robust controls, such as fraud detection processes, in place to minimize the risk of further harm to individuals.”Following a spate of large-scale data breaches that took place in 2022, the Australian government in November passed legislation to increase financial penalties for data privacy violators. Maximum fines for serious and repeated breaches were pushed from AU$2.22 million to AU$50 million or 30% of the company’s adjusted turnover for the relevant period. When businesses are recalcitrant, the most effective way to make them listen is to hit ’em where it hurts most — their pockets. And in this emerging era of AI where data shines even brighter in glistening gold, companies will be digging more fervently than ever. They should then be made to pay back in kind when they lose it. RELATED COVERAGE More

The next step is to pair your phone with Windows, a process that differs between an iPhone and an Android device. iPhoneTo pair your iPhone in Windows 10, go to Settings > Devices > Bluetooth & other devices and click Add Bluetooth or other device. Select Bluetooth, and your computer will search for nearby devices.The iPhone pairing process is basically the same in Windows 11. Go to Settings > Bluetooth & devices on your computer and click the Add device button. Select Bluetooth from the popup window.Android To pair your Android phone with Windows 10, go to Settings > Devices > Bluetooth & other devices on your PC and click Add Bluetooth or other device. Select Bluetooth, and your computer will search for nearby devices. On your Android phone, go to Settings and look for a category called Connections or Connected Devices. Tap the button for Pair new device.Also: How to link your Android phone to your Windows 11 PCThe name of your Android phone should then appear in the list. Click its name to start the pairing. A PIN pops up. Tap OK on your phone and Connect on your PC to connect the two. Your phone appears in the list of items paired with your PC.To pair your Android device with Windows 11, go to Settings > Bluetooth & devices on your PC, click Add device, and select Bluetooth. On your Android phone, go to Settings and then Connections or Connected Devices. Also: How to uninstall Windows 11 on your PC Tap the button for Pair new device. Select your Android phone in the list to pair it with your PC. After the PIN pops up, tap OK on your phone and Connect on your PC to pair the two.  More

Jason Cipriani/ZDNET Apple on Monday released software updates for its hardware lineup. The updates include new features, such as new emojis, along with overall performance improvements and bug fixes. More specifically, Apple released iOS 16.4, iPadOS 16.4, MacOS 13.3, WatchOS 9.4, tvOS 16.4, and HomePod software version 16.4.  Perhaps most importantly, there’s a long list […] More

Sakorn Sukkasemsakorn/Getty Images I get this question a lot: Should I use a password manager? The answer is simple… yes. But no matter how often I give that advice, many ignore it and continue using their browser’s built-in password manager. I get that, as using the browser password manager is convenient and doesn’t require that […] More

Believing they will not encounter cybersecurity incidents, small and midsize businesses (SMBs) do not see a need for cyber insurance. Among 39% of SMBs in Singapore that are not considering or remain undecided about getting protection against cyber risks, half say it is because they are unlikely to experience cybersecurity or cybercrime issues. Another 54% say they do not store sensitive or personal data online and, hence, do not see a need for cyber insurance. These findings were from a study commissioned by insurer QBE Insurance Group in Singapore and conducted by Creative Way Consultants, which polled 416 decision-makers from local SMBs. The annual survey was carried out last quarter. Amid the apparent lack of enthusiasm for cyber insurance, though, 97% said they were aware of potential cyber risks to their business. Some 21% expressed concerns about data protection and security, with 38% admitting to being affected by cyber incidents last year, up from 26% in 2021. About 9% of respondents said they operated without any process or insurance against cyber risks, the study found. Digital transformation, though, remained of great interest, with 66% of SMBs embarking on digitalisation efforts over the past year. Another 34% said they would continue to invest in digital technologies to reach more customers, while 32% would do so to grow their business and 32% would digitalise for higher productivity. With their smaller pockets, it should come as no surprise that 29% of SMBs cited high cost of investment as a barrier in their digitalisation efforts. Some 27% pointed to a lack of financing, while 24% pointed to a lack of digital skills as a barrier. A further 23% saw potential business disruptions as a barrier, while 21% highlighted complexities in digital technologies. Another 21% saw the need to ensure data protection and security as a barrier to digital transformation. SMBs are hot targets of cybercrimes in Singapore, where these businesses account for the bulk of victims impacted by ransomware attacks. In particular, SMBs from sectors such as manufacturing and IT accounted for the bulk of reported ransomware cases in 2021. According to a study last year by Coleman Parkes, Singapore enterprises had to deal with 54 cybersecurity incidents on average each day, with 39% managing 50 to 200 such incidents a day. Some 62% said they were struggling to keep up with the evolving threat landscape. A report from Trend Micro last week estimated that Asia-Pacific experienced the most ransomware attacks last year, with 38.06% of such attacks targeted at the region. Some 18.9% of ransomware victims in Asia-Pacific chose to pay up, compared to the global average of 10% and 11.1% in Europe, which had the lowest ransomware payment rate. Of 14 billion threats it blocked in Asia last year, Trend Micro said more than 1 billion were in Singapore alone. Mobile security issues ranked the highest in Asia. RELATED COVERAGE More

ZDNET A while ago I wrote a piece on the best way to ensure your privacy with a web browser. A part of that advice was to use the Tor browser. In simplest terms, you cannot get more privacy and security from a web browser than when using Tor.  Also: The best browsers for privacy […] More

Getty Images/Tim Robberts As an avid tech user, I’m normally juggling multiple iPhones and several Android smartphones simultaneously. Despite managing so many devices, I find them highly reliable. The stability of PCs, laptops, smartphones, and tablets today is significantly better than it was a decade ago. In fact, I can’t recall the last time one […] More