The company did not give details of how the action happened, but the term “unauthorized access” has been widely used by companies to describe occurrences involving their systems.
This was the case at McDonald’s last April, when the cafeteria reported that customer data in Brazil was “accessed without permission”, and Americanas, Submarino and Shoptime, whose websites and apps were down for at least 3 days, in February.
Although some have taken this more drastic measure of paralyzing the online operation, few details were released and, amidst the suspicions raised, no company among those mentioned above used the term “hacker attack”.
- GDPR: what data protection law changes in your life
- Ransomware: how the virus is used in extortion and learn how to protect yourself
g1 asked digital security experts Eduardo Bernuy Lopes, president of Redbelt Security, and Thiago Ayub, chief technology officer at Sage Networks, to “translate” what “unauthorized access” means.
What is ‘unauthorized access’ to a website, database or social media account? Is it the same as invasion?
Ayub understands that yes, based on company reactions who decided to take their websites offline in the face of this occurrence or an attempt, as in the case of the Americanas and Fast Shop group.
“It is an exaggeration to demand that only someone who breaks down the door or blows out the window be called an intruder. [real ou virtual]it’s an invasion”, he says. “They can try to sugarcoat the pill by saying that they are different things, but in practice it is [invasão].”
Ayub considers the choice of the term “unauthorized access” by retailers in their announcements curious, since, in the case of online systems, this type of attempt happens “all the time, hundreds or thousands of times an hour”.
Not every access attempt is malicious: a security system can even identify an employee’s access from a different computer as “unauthorized”for example.
But Lopes, from Redbelt Security, points out that there is a low probability that this alone will lead a company to temporarily stop its activities, as happened with retailers. The same is true if the invasion had only been an attempt.
“It would only make sense to take services down to take cybersecurity actions if one of those accesses is successful,” says Ayub.
“What can lead to a suspension of the site and the application is if, in fact, you are very suspicious of some strange traffic on the site or successful unauthorized access”, adds Lopes.
Is ‘Unauthorized Access’ a Cyber Attack?
Not necessarily. In some cases, systems are suspended for preventionand not necessarily due to a consequence, such as data leakage, points out Lopes.
“The company sometimes chooses to disable some system, lock it, put a padlock on everything to ensure that no other loopholes are being exploited”, explains the president of Redbelt Security.
“When the facts were later found out, someone who shouldn’t have joined the company did. Whether she stole something, stole an item and took it with her, it’s not known. It’s just that she shouldn’t have been there and potentially could have done something harmful. “, says Ayub.
The director of Sage Networks also points out that if an access attempt is not successful, it means that the cybersecurity layers have worked and that no other measures need to be taken.
Why do companies give few details?
For Ayub, companies that suffer an invasion or attempt to attack are usually not very transparent in their communications.
“These statements by companies are usually not intended to inform, but to balance legal responsibility for protecting personal data and brand reputation,” says the expert. “So it’s almost always slippery messages, veiled, difficult to interpret what really happened.”
“It is possible to suppose that, more than [fazer] an attempt, the attacker achieved some kind of success, even if modest, accessing something he shouldn’t have and that motivated this untimely reaction on the part of the retailer’s IT”, he evaluates.
THE Lack of details by companies is also related to the way the General Data Protection Law (LGPD) workssays Lopes.
The law only obliges companies to manifest when there is a leak of users’ private data, such as CPF.
“At this time, when there is still a suspicion of unauthorized access, they [Fast Shop] they have to understand internally what happened”, he explains. “If there was a complete invasion with data extraction that will impact you, me and other people, who are customers, then they have to inform the National Data Protection Agency (ANPD) and to the market”.