PETALING JAYA: With the recent payment gateway iPay88 data breach, experts are saying that it is high time that companies invested more to ensure systems are developed with security and privacy mechanism as part of the development process.
Cybersecurity expert Prof Dr Selvakumar Manickam of Universiti Sains Malaysia said companies should also invest in hiring white hats or ethical hackers to perform penetration tests and patch any “holes” found before launching the systems.
“Security audits should be carried out from time to time and certified by cybersecurity experts. Online service providers should not be allowed to operate if they fail to obtain such certification.
“As part of the amendment of laws and regulations relating to cyberspace, online service providers must be made accountable when such data breach or data leak happens.
“Currently, most security measures are reactive, meaning remedial actions are only taken after the breach happens. Cybersecurity has always been an afterthought,” he told The Star.
The Personal Data Protection Act 2010 (PDPA) is slated for amendments with key points being the game changers in the implementation and enforcement of the law.
Prof Selvakumar said it is almost impossible for any online service provider to guarantee its services are 100% secure and not liable to be hacked.
This, he said, is due to flaws and weaknesses that exist in the system that are yet to be discovered by hackers.
“Most online services are ‘ticking time bombs’ waiting for some criminal to find its vulnerabilities and exploit them eventually but without such services, it would be extremely difficult for people to carry out online activities and transactions.
“Just like driving a car comes with the risk of an accident, online services come with their risks. We, as users, can only put our trust in the service providers, hoping they have performed their due diligence in ensuring their services are secure,” he added.
Prof Selvakumar underlined the importance of ensuring a two-factor authentication with the user’s mobile device.
“Use virtual accounts where possible, as it allows better traceability and hides the actual credit card information. It is also important to check and monitor credit card activities,” he said.
He added that data breaches are not exclusive to Malaysia as cyberthreats and hacking attempts are rampant around the world.
“The onus is on the system developers, Malaysian or not. As mentioned earlier, until companies invest and put real effort into ensuring their systems are secure, such incidents will keep happening,” he said.
Prof Selvakumar also said criminals find it easier to “hack” the user, meaning that users can be tricked into divulging personal information or clicking on links that lead to malicious websites.
“This is called social engineering, a field that combines technology, psychology, sociology, and other domains. Education and awareness programmes can prevent users from becoming scam victims,” he said.
Communications and Multimedia Minister Tan Sri Annuar Musa had said immediate action was taken on the iPay88 cybersecurity incident that took place in May.
The matter was handled by the Department of Personal Data Protection and Cyber Security Malaysia, which held a meeting with iPay88.In light of the matter, Bank Negara Malaysia also instructed banks to immediately notify cardholders of additional protective measures that will be taken to further protect them against risks of fraud or unauthorised transactions.
The central bank said forensic investigations on iPay88 are still ongoing.
Malaysia has been subjected to several data leaks over the past years, with a recent case related to the International Trade and Industry Ministry’s Public-Private Covid-19 Industrial Immunisation Programme (Pikas).
In mid-May, a data leak was reported by local tech portal Amanz, where a 160GB-sized database with personal details of 22 million Malaysians belonging to the National Registration Department was being sold for US$10,000 (RM43,950) on the dark web.
Deepak Pillai, a technology, multimedia, telecommunications and data protection partner from Christopher and Lee Ong, attributed the continuous data leaks in the country to a lack of seriousness on the part of some businesses in addressing their cybersecurity.
This, he said, combined with a lack of reported enforcement actions and the relatively light penalties under the PDPA contributed to an environment where data breaches are taking place with increasing frequency.
“With the government indicating that it is in the midst of drafting a Cybersecurity Act which will be tabled next year, I hope there will be more focus by all parties on cybersecurity.
“That, together with the concept of ‘privacy by design’, where organisations are required to address the protection of personal data from the very conception of a project, rather than as an after-thought, will address many of the issues that are currently being faced.
“Ecommerce will carry on nevertheless. I think people will take note of the breaches and the necessary action.
“At the end of the day, it is the reputation of an ebusiness or eservice that will determine its success or failure,” he added.