Cyber crime and data protection in Mexico, Part I

Cyber crime and data protection in Mexico

According to a recent study by PricewaterhouseCoopers (PwC), nearly 87% of Mexico-based companies experienced a cyber attack in the last 12 months – amounting to over 3 million incidents. With more users and faster networks than ever, the Organization of American States (OAS) is looking to strengthen policies that protect governments and civil society against illicit cyber activities.

This would particularly benefit Mexico. Since 2013, cyber attacks in Mexico have jumped by several hundred percent. According to the Tech Strategy Unit of the Presidential Office, the nation currently loses over USD $3 billion per year in breaches, identity theft and other unlawful cyber activity.

Although this increase is mostly due to a sharp rise in online payments and digital banking, Mexico’s security breach rate, according to the PwC study, is now 13% higher than the global average.

Small businesses at risk

As in earlier years, universities, transport and services companies in general were hard hit by hackers. A growing number of online breaches were also reported by manufacturers, family-owned businesses and retail chains. Last year’s cyber attack on retailer Liverpool – the nation’s 3rd largest issuer of credit cards – confirmed this trend.

Surprisingly, over 60% of cyber attacks were targeted at small- and medium-sized entities. “If you think that being a small business is going to protect you, then you’re terribly deluded,” said Alan Brill, senior managing director of cyber security at Kroll Mexico.

Hackers routinely target smaller companies because their security systems are usually less sophisticated. Although the rewards are smaller, said Brill, the risk of getting caught is practically nil.

Financial sector continues battling hackers

Although the financial sector is still highly vulnerable to cyber attacks, “it’s also the industry that has taken the biggest steps to cover this growing problem,” said Marcela Flores, Managing Director of Lockton México, a risk management firm.

Last year the industry in Mexico lost an estimated $100 million on data breaches. The real figure, however, is much higher, as a large percentage of targeted firms avoid going public for fear of reputational damage. Many organizations aren’t even aware of a breach.

The PwC report confirms why Mexicans hesitate before making online purchases or revealing personal info online. Only 22% trust banks and financial institutions to protect their private data, far below the rate in most countries. These latest figures seem to justify their fears.

“Mexico is already known as a paradise for the theft of personal information, as there are so many leaks and vulnerabilities, especially at public agencies. This makes (these institutions) an appealing target for people dedicated to stealing information and using data for unlawful purposes,” says Issa Luna Pla, a cyber law specialist at the Institute of Legal Investigations of the UNAM.

Unified data protection law

Why is Mexico so “leaky”? PwC blames it on (a) lack of investment in cyber crime protection, both by public and private entities; and (b) remarkable slowness by the government to take effective measures.

According to the Global  Cybersecurity  Agenda of the International Telecommunications Union (ITU), Mexico still doesn’t have a national governance road map for security in cyberspace. Not only does the country lack proper institutional structures, its public agencies are not even certified under internationally recognized standards.

It wasn’t until 2010 that Mexico’s Congress enacted the first law to fight cyber crime, the Law on the Protection of Private Personal Data (Ley Federal de Protección de Datos Personales en Posesión de los Particulares).

This “unified” statute regulates “all data that is processed, transferred or disposed by private parties or public entities”. It requires Mexican companies to appoint officers responsible for establishing technical and physical safeguards to ensure the protection of personal data “from loss, damage, alteration, destruction and unauthorized access or use”. The law also requires senders to issue a privacy notice before acquiring the legal right to collect information.

Although Mexico’s Congress has subsequently passed new laws and modified existing ones in relation to online privacy, cyber bullying and child exploitation, this statute has several notable problems, not least of which is virtually zero enforcement.

Despite penalties that often exceed $1 million for acquiring data fraudulently or without users’ consent, the government has rarely brought a case against a cyber criminal.

The Feds go digital

Like many nations, Mexico is still building its cyber enforcement agencies. Here are some significant achievements over the past seven years:

  • 2010. Formation of the Computer Security Incident Response Team (CERT-MX), responsible for protecting critical infrastructure, managing cyber incident response, investigating electronic crimes, analyzing evidence and responding to digital threats that would affect the integrity of critical networks.
  • 2011. Creation of the Scientific Division of the Federal Police to operate forensic and criminology laboratories in coordination with the nation’s intelligence agencies.
  • 2011. Establishment of the Coordination Center for the Prevention of Digital Crimes to monitor and protect critical infrastructure.
  • 2014. Launching of the National Information Security Strategy to coordinate the nation’s defense against major cyber security threats.

Cyber crime and data protection in MexicoAlthough CERT-MX is under the jurisdiction of Mexico’s Armed Forces, the main civil authority for cyber crime is the Federal Police. Given its central role, the Scientific Division was established with specially-trained personnel to monitor and investigate cyber offenses, in particular identity theft, child pornography, cyber fraud and phishing.

The Scientific Division currently collaborates with over 300 teams from 69 countries dedicated to the prevention and combat of online crime. In 2014, the Division signed a joint venture with Microsoft focused on helping vulnerable populations combat data theft, child porn, human trafficking and fraud.

Despite these advances, Mexico has still not enacted cyber-security legal codes. Laws in cyber-security matters fall under the Federal Criminal Code, mostly involving financial crimes, information security, and the use of technology in other crimes, such as terrorism, kidnapping, and drug trafficking.

Although a Specialized Information Security Committee was formed to create a National Cyber-Security Strategy, this task is still on hold. All cyber-security matters are currently handled on an ad hoc basis through the Cyber Police and Scientific Division. Fortunately, personnel from these divisions “participate in specialized training from the Police Development System (SIDEPOL), as well as from numerous other security and law enforcement organizations in countries including Colombia, the US, Holland and Japan.”

Mexico is also in the final stages of amending federal laws and regulations that will allow it to complete accession to the Budapest Convention. A broad consensus of the nation’s executive, legislative and judicial leaders met at a conference in Mexico City in March 2014, where they “agreed on the need for key reforms”.

Words and actions involving such broad coalitions often notably diverge. Although most experts consider initiatives like the Budapest Convention to be a positive step, they believe that Mexico’s approach over-relies on laws and regulations, making it difficult if not impossible to outpace technological change.

An uphill battle

Given its population, energy resources, critical supply chains and close proximity to the US, it’s unsurprising that Mexico receives the 2nd largest number of cyber attacks in Latin America, after Brazil.

Most Mexican organizations have already been targeted, and these attacks seem likely to increase in sophistication and frequency in the near future.

“There are more users, more connections, more data and more devices connected to the network than ever and this makes organizations more vulnerable to cyber attacks,” said Edgar Vázquez, head of government sales for Intel Security Mexico.

This increase in online activity has also led to a significant escalation in more serious online crime, in particular identity theft, credit card fraud, and online exploitation of minors. Mexico now ranks number one in the world for pornographic material involving minors and is in second place for online production.

Unsurprisingly, the nation is already in the cross-hairs of cartels, which now use digital media to control, manipulate and disseminate false information. Some violently threaten those who reveal information about their organizations.

Given these daunting challenges, many question whether the Mexican government is equipped (and committed) to protecting itself – much less its citizens – against cybercrime. Is it willing to replace aging infrastructure with newer and faster equipment? Will it insist on compliance not just with national norms but with international best practices? Will it train and implement better accountability mechanisms? Will it promote greater data sharing between agencies?

These are just a few of many questions that must be answered. As I0T and artificial intelligence becomes more pervasive, and Mexico’s online population grows, more vulnerabilities will emerge.

In a word, Mexico needs to up its game.