MALAYSIANS sighed a huge relief earlier this month when organisations reportedly involved in an alleged data leak of some 13 million people refuted the claim as fake news.
The good news was welcomed by the account holders as the leaked information purportedly included their full name, date of birth and identity card number – important information widely used for banking and business transactions in Malaysia
The bad news, however, is that this is not the first data leak scare in the country, and very likely will not be the last.
There has been a considerable number of data leaks reported in the country in recent times.
While it is often not revealed if these data leaks were due to cyberattacks, many cybersecurity companies have compiled various data to show that there is a growing number of data breach cases in the country.
Japanese cybersecurity company Trend Micro’s recent Cyber Risk Index report, for one, showed that around 72% of Malaysian organisations were breached at least once last year.
Cybersecurity company and VPN provider Surfshark meanwhile found that from 2004 up to June 2022, Malaysia experienced around 44.2 million account breaches, according to a report by The Star.In Malaysia, up to 138 out of every 100 people has been affected by data breaches, the Netherlands-based company highlighted.
This means, statistically speaking, an average Malaysian has been affected by data breaches at least one time, Surfshark data researcher Agneska Sablovskaja was quoted as saying.
The growing number of data breaches locally is a cause for concern, especially as of late, numerous data breaches and data leaks involving government agencies and the financial industry have been reported.
In April last year, it was reported that the personal data of 22.5 million citizens on government servers were compromised and sold on the dark web for a reported price of just US$10,000.
While investigations have been launched on the alleged cases, it is clear that more needs to be done to prevent them from occurring again.
Cybersecurity expert Assoc Prof Dr Selvakumar Manickam from Universiti Sains Malaysia believes that a majority of data-theft is carried out through data leaks, as it is easier to carry out and does not require much technical knowledge, compared to data breach.
“Data leaks refer to data being exposed due to weaknesses that are already there in the system, for example, the door was not locked. Meanwhile, data breaches refer to systems being purposely and forcefully attacked,” he explains.
Dr Selvakumar says stakeholders or system owners, in most cases, do not take into consideration the cybersecurity requirements of their system during the development phase.
He explains that due to commercial pressure to release the system within a stipulated period and the fact that testing the system for cybersecurity issues and addressing requires a lot of time and effort, the system owners would typically put the cybersecurity component in the back seat.
This leads to poor data and system security, software developed lacking sanitisation and social engineering attacks.
“Nowadays, anyone with basic Internet and networking knowledge, by following the many videos and tutorials found online, can potentially become a hacker.
“If the organisations impacted claim to have taken the necessary cybersecurity measure, then they are not doing enough.
Criminologist Shankar Durairaja reminds that while cybersecurity measures are constantly changing according to cyber threats, it is also very important that stakeholders and bodies stay up to date and ahead of them.
“We need to understand that data leaks are due to operational issues as well as technical and human errors.
“Implementing a strong, layered cybersecurity approach and comprehensive data protection policies must be our primary task. All public and private organisations, regardless of size and importance, must have a robust defence system in place and develop an appropriate cyber-attack response plan.
“Additionally all strategic pillars listed in the Malaysian Cybersecurity Strategy 2020-2024 must be achieved as well,” he says.
Fong Choong Fook, CEO of LGMS, a specialised cybersecurity testing firm, says the search for a solution to data leaks is an ongoing issue as security is a recurring concern.
“Security concerns are multilayered as well as multifactored which also breeds the existence of different loopholes for each concern. So, it doesn’t matter what security measure is put in as there will always be loopholes,” he says.
Fong adds that cybersecurity issues such as data leaks and data breaches will also continue to be a part of our lives due to the raging development of technology as well as data constantly being readily available online.
Hence he says organisations as well as individuals need to have a prevention is better than cure mindset.
“Security measures need to keep up with time and the management of each and every organisation that relies on cybersecurity systems. Every system has a risk of developing a loophole, hence we need to keep assessing the strength and durability of our security systems,” he says.
Nevertheless, Fong agrees that the trend of data breaches and data leaks have been riding an upward trend in recent years.
“Judging from data taken from the police as well as Cybersecurity Malaysia, the trend has been increasing steadily over the years.
“Scams are an easy economy and the lack of accountability also adds on to this issue.
Additionally, Fong notes that all organisations need to embrace the understanding that cybersecurity is no longer just an IT issue but more of a business issue.
He stresses, if the government is to impose any policies, they should make sure accountability is taken seriously. The execution of the Personal Data Protection Act should also be relooked because over the years it has been considered weak.