PETALING JAYA: An anonymous individual has issued an online ultimatum to Universiti Teknologi Mara (UiTM) to step up the security on seven portals linked to it.
If the university does not implement Secure Sockets Layer (SSL) and TLS (Transport Layer Security), two cybersecurity protocols, by Feb 4, the person – known only as “AA” – has threatened to release leaked student data to a wider online audience.
Earlier this month, it was reported that the personal records of 1,164,540 students and alumni enrolled at UiTM from 2000 to 2018 had been leaked online.
In the ultimatum posted on the text storage site Pastebin on Jan 29, “AA” threatened to post 100,000 student records a day on Facebook, Twitter, Instagram, Pastebin, Telegram and WhatsApp.
The leaked student records include details like students’ names, MyKad numbers, house addresses, email addresses, campus codes, campus names, programme codes, course levels, student IDs and mobile numbers.
“AA”, who also claims to be the source that tipped off Lowyat.net to the UiTM data breach, claims to have all the leaked student records.
“It would take a basic idiot one day to implement this security measure across all the sites,” claimed “AA”, who sent the Pastebin link with his ultimatum to media outlets, including The Star, yesterday.
The seven portals he wants to see implement better security are the iSTUDENT Portal System, iLearn V3 Login, Electronic Question Paper System, Portal I-Staf, PRISMa, iRMIs and UiTM Consultancy Unit.
However, cybersecurity company LGMS director Fong Choong Fook said while it’s a simple process to purchase and install security certificates like SSL, he doesn’t really think the lack of it as a critical vulnerability.
He said that these security measures protect a user’s data from being hijacked and seen by other parties, but this can only happen if the hacker and the victim are on the same network.
“Say, both you and I are surfing a website in a cafe. If the website is not entirely using HTTPS, I can potentially hijack your traffic and see the content. But, again, this requires tools and skills,” he said.
HTTPS or Hyper Text Transfer Protocol Secure is the secure version of HTTP and encrypts the communications between a user’s browser and the website he or she is surfing.
It is often used to protect transactions like online banking and shopping.
“AA” acknowledged that not all students cared if their data was leaked online, probably due to the lack of awareness.
“That’s why they’re indifferent. Until they personally see their own details out in the open, they won’t care. They don’t care because they don’t think this affects them in any way,” the person told The Star via email.
“AA” also claimed to be a UiTM student but refused to say if he or she was still studying at the university or has since graduated.
He or she claimed to have known about the lack of security at these UiTM sites since 2013.
“The missing security measures have existed ever since the systems went online. They were never implemented in the first place.
“Anyone can visit the portals and see that those pages do not have HTTPS, therefore anyone could steal potentially sensitive information.
“Reaching out to the staff was, of course, futile.
“They didn’t care, and even now they don’t care, apparently.
“I’ve told the staff multiple times that websites, especially those with login or registration forms, should have SSL/TLS – a.k.a. HTTPS.”
“AA” also accused the university of covering up the data breach.
“I’ve requested multiple times for them to release a press statement that there was, in fact, a breach, and data was leaked.
“Only after I tipped off Lowyat.net and news broke out that the university bothered to release a statement,” the person said.
A UiTM spokesman said the university is looking into the demand by “AA”.
UiTM working with agencies to analyse system’s integrity