PADU: Malaysia’s National Database Dream Turns Into a Privacy Nightmare

Malaysia’s ambitious vision of a unified national database, PADU (short for Pangkalan Data Utiliti Kebangsaan, or National Utility Database), has stumbled at the starting line, tripping over a gaping security loophole that has reignited anxieties about data privacy and identity theft. The project, championed by the Ministry of Economics and launched with much fanfare by Prime Minister Anwar Ibrahim, promised a brighter future for social welfare and government efficiency. However, just hours after its unveiling, the dream curdled into a nightmare, leaving Malaysians questioning the cost of convenience in a nation scarred by past data breaches.

At the heart of the controversy lies a seemingly simple flaw: Anyone armed with another person’s IC number and home postcode can register for PADU in their name. This seemingly innocuous combination unlocks a treasure trove of personal information, including banking details, income, and even dependent relatives, offering a tantalising target for malicious actors. The revelation, exposed by former Deputy Trade Minister Ong Kian Ming, sent shockwaves through the public, echoing Malaysia’s recent history with cybercrime.

The Ghosts of Past Breaches Still Linger

In 2022, the personal data of a staggering 22.5 million citizens – nearly two-thirds of the population – was pilfered from government servers and sold on the dark web. This breach wasn’t just about names and addresses; it was a complete digital striptease, exposing everything from voting records to student loans, laid bare for anyone with a few dollars and a Malaysian IC number. The incident sent a tremor through national trust, and PADU’s launch, instead of building bridges, seems to have reopened old wounds.

Economy Minister Rafizi Ramli, the architect of PADU, attempts to quell the rising tide of fear. He acknowledges the loophole but assures the public that registrations remain in limbo until verified through an electronic Know-Your-Customer (e-KYC) process, which requires selfies and ID photos. However, this explanation rings hollow for many, who see the e-KYC as a flimsy Band-Aid on a gaping wound. “Why register at all if the system is so vulnerable?” asks computer engineer Shawn Tan, echoing the sentiment of a nation on edge.

Partnerships to Boost Public Cybersecurity Expertise

The concerns prompted PIKOM (Persatuan Industri Komputer Dan Multimedia Malaysia), the National ICT Association, to urge Putrajaya to strike a balance in its implementation.

PIKOM applauds the project’s goal of streamlining public services but believes that utilising internal public sector expertise should be weighed against engaging external experts when dealing with complex technology and sensitive data. They emphasise the importance of independent security assessments throughout development to prevent vulnerabilities like the recently discovered one, which could have been identified earlier.

The association suggests that the government must also consider collaborating with private sectors to upskill public officers in niche areas, especially in cybersecurity. “Industry attachments,” where public officers gain real-world experience in established private companies could significantly enhance internal capabilities and ensure future projects prioritise robust security.

The Stakes Are Just Too High

In a recent event, Economy Minister Rafizi Ramli took to social media to address some of these early hiccups, offering assurances and clarifying key points about the system.

As of Wednesday (January 3, 2024) morning, over 233,000 users had registered on PADU, with roughly 71% completing the e-KYC verification process. This marks a significant step forward, but Rafizi still acknowledged concerns about password changes being made using stolen Identification Card (IC) numbers. Thankfully, he confirmed that this vulnerability was swiftly patched late on January 2nd, highlighting the government’s commitment to ongoing security improvements.

To further quell anxieties, Rafizi emphasised that any information updated without a valid e-KYC will not be integrated into the database. This safeguard ensures that only verified users can modify their data, adding a layer of protection against unauthorised alterations. He also clarified that the e-KYC process will only be triggered after updated information is submitted, streamlining the experience for users.

One potential roadblock for some users was the issue of phone number limitations. PADU allows a single phone number to be used for up to five accounts within the same household, catering to those without individual mobile phones.

However, Rafizi stressed that while multiple accounts can be linked to one phone number, each individual aged 18 and above must still have their own registered account within the system. This enables centralised data collection while providing a single point of access for household updates, managed by the designated head of the household.

Rafizi’s transparent communication and prompt action on security flaws are positive signs and crucial steps in building trust between the public and the government. But as more and more users navigate the registration process and the system evolves, the national database will be closely watched. The majority of the public, understandably, remains unappeased.

PADU’s potential benefits are undeniable. A centralised database could streamline government services, target social programs with laser precision, and unlock economic opportunities. But what good is efficiency if it comes at the cost of our digital lives? The question hangs heavy in the air, a reminder of the delicate balance between progress and privacy.

Whether or not the system will become a sign of progress for the country or a monument to misplaced faith towards the government remains to be seen.

Only time will tell.