“Using this information, with phone banking and others, you can easily get access to a number of bank accounts and transfer money, even in this period,” he said.
“Many banks and other institutions will just ask you, ‘Hey, what’s your name, what’s your date of birth, what’s your email address, what’s your phone number’, and some of that information or all of that information is basically in that app, ManageMyHealth.”
Chopra said the company’s layers of security, like password protection and encryption, weren’t appropriate for the level of sensitive data the company held.
He said the company did not apply about 17 different controls, culminating in a security breach.
“These kind of 101 basics and this stuff, it does need some investment, but when you’re holding critical information like health information and personally identifiable information, these should be your basics,” Chopra said.
On Friday, ManageMyHealth said it encrypted health data in its database and user passwords.
“[ManageMyHealth] is an ISO 9001 and ISO 27001-certified organisation,” it said. “We have quality assurance processes with regular testing of our systems.”
Chopra said hackers often targeted people on holiday or out of business hours, so victims couldn’t verify the information given with an official channel.
“Either you are busy doing something and you will just fall for that thing that they have said, or if they have created kind of an emergency kind of situation, then you fall for it,” he said.
“If you even call your own bank or your agency, or someone else, you will be outside of office hours and you will not be able to get that answer back.”
Chopra urged people not to rush into answering what could be a scam email or message.
– RNZ