PETALING JAYA: A cybersecurity expert alleged that millions of personal records belonging to Malaysian workers were exposed on a government portal.

Dr. Suresh Ramasamy wrote on LinkedIn that he was alerted about the possible data leak on the Public-Private Covid-19 Immunisation Programme (Pikas) website. Pikas is an initiative of the Ministry of International Trade and Industry (MITI).

He claimed to have discovered a Pikas portal server which allowed him to access an open directory containing Excel files with employee details, including MyKad or passport number, employee ID, age, gender and contact number. He claimed to have seen more than 2,000 files.

Suresh questioned why the directory was left open, which he said could lead to issues such as the data being leaked on the dark web.

“These types of incidents further erode trust in the ability of the government to safeguard data. This is further compounded by the fact that the Personal Data Protection Act in Malaysia conveniently excludes government agencies from being responsible for managing data.

“The scale of data being lost is huge, and has a far reaching impact beyond just today's article,” he posted on the social networking platform.

Suresh added that he made a complaint to CyberSecurity Malaysia (CSM), which responded a few days later, saying that the case had been closed.

According to an email sighted by website CodeBlue, CSM replied: “Please be informed that the content you reported to us are no longer available. We hope this is of help and with this we shall close the case."

When contacted, CSM said it has “no statement from CSM as of now”.

The Pikas portal is currently inaccessible. According to CodeBlue, the website was taken down shortly after Suresh posted his article.

Miti started the Pikas programme on June 16, 2021 with the goal of immunising at least two million manufacturing workers by the third quarter of last year.