Cermati and Lazada Data Leaks, E-Commerce and Fintech are Targeted
User data of financial technology company (fintech) aggregator Cermati and e-commerce Lazada was hacked. Based on research by Palo Alto Networks, these two sectors are indeed targeted by hackers. The breakdown of 2.9 million Cermati user data was revealed by the founder of the Indonesian Ethical Hacker community, Teguh Aprianto, via Twitter.
The hacked information consists of full name, e-mail, address, cellphone number, account, occupation, population identification number (NIK), taxpayer identification number (NPWP) to the user’s biological mother’s name. This data is sold for US$ 2,200.
Cermati co-founder Andhy Koesnandar admitted that user data was leaked. After detecting unauthorized login access to the platform, the company together with the National Cyber and Crypto Agency (BSSN) and external cybersecurity experts immediately investigated.
Then remove that unauthorized access on the platform to secure user data. “We inform users about hacking and continue to urge them to carry out security measures periodically,” said Andhy, Monday (2/11).
The company also requires all users to implement two-factor authentication when logging in. “This is to prevent improper access to the linked accounts,” he said.
Pay attention to also strengthening the security system, by developing an information technology (IT) architecture and an Application Programming Interface (API) that is resistant to cyber-attacks.
These fintech aggregators provide financial services such as loans, credit cards, insurance, savings, and electronic money (e-money). Every month, there are about five to six million visitors to the platform.
Lazada has also Experienced Data Breaches
Apart from Cermati, e-commerce company Lazada has detected 1.1 million data on its online supermarket users, RedMart was hacked last week (29/10). “We found an incident related to data security in Singapore, which involved a special database RedMart,” said a spokesman, Sunday (1/11).
The compromised user data is in the form of name, telephone number, e-mail, address, password, and part of the user’s credit card number. This information is then sold by hackers online. Even so, Lazada notes that the leaked user data is more than 18 months out of date.
The company updated the information in March 2019. He also confirmed that customer data in Southeast Asia, including Indonesia, was not affected by the incident. The Alibaba subsidiary also blocked unauthorized access to user databases. The company also works closely with the authorities to crack down on hackers. In addition, strengthen the security infrastructure.
A Cybersecurity researcher from the Communication Information System Security Research Center (CISSReC) Pratama Persadha said that e-commerce and fintech were targeted for hacking because of the large amount of user data being managed. For the Cermati case, data is taken from the activities of 17 companies.
He considered, the data was very dangerous if it leaked. “An in-depth investigation through digital forensics is needed. Any security holes have resulted in data leaks,” Pratama said as quoted from a press release, Tuesday (3/11).
Leaked Data can Become Material for Fraud and Crime
Likewise with Lazada user data, which was sold for US$ 1,500 on dark web. “Even when checked at Raidforums in the country, someone had already sold it,” said Pratama. This expensive data can be used by hackers to sell to advertising businesses.
In addition, it can be a raw material for fraud and other crimes. “Bank fraud can be started with a capital name, address, e-mail, and cellphone number,” he said. Especially if the hacked data is the user’s credit card. With a little social engineering touch and a careless banking officer, cybercriminals can take some money from victims.
Therefore, credit card data must be activated with a PIN and verification code or one-time password (OTP) SMS. In addition, each transaction is subject to verification. Prior to Lazada, Bukalapak’s user data was hacked last year. Pakistani hackers claim to have stolen data from hundreds of millions of accounts from 32 sites.