This vendor-written piece has been edited by Executive Networks Media to eliminate product promotion, but readers should note it will likely favour the submitter's approach.
Weeks before the Wannacry ransomware attacks, I became another victim of cybercrime earlier in April 2017.
My bank's SMS notification alerted me to a €2,800 transaction on my credit card in a restaurant in Vienna one afternoon. The last I checked, I was in Singapore. Within the next minute, I was on the phone with the bank. As we were verifying the unauthorised transaction, a second SMS notification alerted us to another €1,300 that was transacted on the same card at the same location.
It was somewhat ironic, because I had highlighted recent amendments to the Singapore Computer Misuse and Cybersecurity Act (CMCA) that was passed by the Singapore parliament just days before the unauthorised credit card transactions. Like most victims of cybercrime, it is unlikely for me to have the full facts behind the unauthorised collection, circulation and use of my credit card details, but I believe that the recent amendments to our cybercrime laws are a necessary step in the correct direction to address the proliferating ease of obtaining valuable and/or sensitive personal data, for commissioning or facilitating other offences.
Buyer Beware: Using Hacked Personal Data Could Be A Crime
With the changes to our cybercrime laws, there will be, understandably, some initial uncertainty among individuals and companies in the scope and application of the laws, especially if they are in the business of cybersecurity, or have cybersecurity concerns.
One of the main objectives for amending the CMCA is to criminalise dealings in hacked personal data for illicit purposes. In particular, the changes address the roles of, and close the gaps under the existing law against, "middlemen" that trade in such personal data, but are not directly involved in the computer hacking offences. (See: Singapore Parliamentary Debates, Official Report (3 April 2017), 2nd Reading, Computer Misuse and Cybersecurity (Amendment) Bill))
As a consequence, the legislative changes would also mean that individuals and companies, including cybersecurity professionals, are obliged to exercise due care when dealing with personal data obtained through hacking.
For any personal data obtained or retained by individuals and companies to which the origin is unclear, including where such personal data may have been the product of hacking ("Hacked Personal Data"), individuals and companies must ensure that such Hacked Personal Data is not collected or used for the purpose of committing, or in facilitating the commission of, any offence ("legitimate purpose").