PETALING JAYA: With cybersecurity threats and data leaks becoming the norm today, so too have calls for accountability towards all parties when it comes to the protection of data.
CEO and founder of cybersecurity firm LGMS Bhd, Fong Choong Fook, believes that cybersecurity incidents will remain an ongoing issue until more severe penalties are put in place.
“There should be a review of the Personal Data Protection Act 2010 (PDPA) to further extend the coverage of the Act and impose a more severe penalty from a legal perspective, on both private organisations and government agencies responsible for data leaks.
“Otherwise, every now and then the negligence of government agencies could cause data leaks,” he said.
In the latest incident, the personal data of over 802,259 Malaysians, allegedly siphoned from the MySPR Daftar website, is being sold on an online forum for US$2,000 (RM9,240), to be paid in bitcoin or monero cryptocurrency.
The seller claimed that the Election Commission database includes selfies and MyKad photos that were provided for online voting registration on its MySPR Daftar website through the electronic Know Your Customer system.
The database is alleged to contain over 1.6 million photos, with a file size of 67GB.
The uploader claimed that the database also contains the full names, MyKad numbers, email addresses, hashed passwords, phone numbers, birth dates and addresses of voters.
Though the post was first made back on April 11, its existence was highlighted by Twitter user @acaiijawe on Wednesday.
In another post, the uploader is selling the personal data belonging to 22.5 million Malaysians born between 1940 and 2004, allegedly obtained from the My Identity API.
The MySPR Daftar website was launched back in 2019. It allowed Malaysians to register as voters online, though with the shift to automatic registration this year, the MySPR system now only functions for changing voting addresses and the application for postal voting for those overseas and other eligible individuals.
Both threads made by the uploader are still up on the forum.Fong also urged for more transparency in the investigation of cybersecurity incidents such as this.
“We have so many prevention and detection technologies in place, but there is no transparency in the investigation or outcome, so we do not know what the root causes are.
“But one thing is for sure, we know that the government is not doing enough, which is why we are continuously seeing cyberattacks impacting the public sector.
“I think the government needs to review who it’s engaging as security advisers and their security capabilities. We need to set a higher standard,” he added.
Bar Council co-chair of the intellectual property committee, Foong Cheng Leong, concurred, saying that such incidents have happened many times but nothing substantial has been done by the government to secure people’s data.
“Given the poor security measures by the government, the public should not volunteer so much information to them.
“The public must also demand an explanation from SPR and that it discloses full details of the investigation. Authorities have to re-look their security practices, including the online verification process,” said Foong.
The Personal Data Protection Department declined to comment, saying that the PDPA (Act 709) doesn’t apply to state and federal government bodies.
The Act, it said, is for regulating the processing of personal information in commercial transactions.
CyberSecurity Malaysia also declined to comment while the Malaysian Communications and Multimedia Commission has yet to respond as of press time.