Recurring Data Breaches in Malaysia – Plain Ignorance or Just Weak Enforcement
Personal information is extremely valuable in the modern digital age, yet if it is not safeguarded adequately, it can result in catastrophic data breaches that expose millions of people. In 2020, a huge data breach in Malaysia revealed the personal information of millions of citizens. Move over the next 2 years, millions of Malaysians’ personal information was compromised again after a series of data breaches, despite the public outcry and government vow to tighten down on similar events. One must wonder if this is due to simple ignorance of the subject or lax enforcement of cybersecurity measures.
A Wake-Up Call for Malaysia
In December 2022, almost 13 million Malaysian citizens were impacted by a large data breach. The breach reportedly involved three parties: Maybank, satellite broadcaster Astro, and the Election Commission. The Communications and Digital Minister of Malaysia, Fahmi Fadzil, launched an inquiry into the incident, and concerns were raised about the level of cybersecurity in Malaysia and the government’s response.
However, only Maybank, one of the main three parties involved, has disputed the data breach. Maybank initially denied the breach but on December 26, 2022, cyber threat intelligence platform ThreatMon announced on Twitter that they had discovered information related to the breach on dark web forums. In response, Fadzil ordered the Malaysian Personal Data Protection Department and CyberSecurity Malaysia to investigate the breach and take appropriate measures.
While it was speculated that the breach may have impacted all three parties, the investigation found that the Maybank account information on the dark web forums was either inaccurate or non-existent. It is unclear whether the other two parties, Astro and the Election Commission, were actually breached or not. The incident has highlighted concerns about the state of cybersecurity in Malaysia and the need for stronger measures to prevent future breaches.
In the wake of the reoccurring data breaches in Malaysia, there are concerns about the adequacy of the country’s cybersecurity and data protection measures. While the investigation into the data breach was launched by the Communications and Digital Minister of Malaysia, Fahmi Fadzil revealed that the data belonging to the Election Commission falls outside the scope of the Personal Data Protection Act of 2010 and is instead the responsibility of the National Cyber Security Agency.
The collection and use of individuals’ personal information in Malaysia are regulated under the Personal Data Protection Act of 2010. Organisations involved in commercial transactions involving personal data are subject to the Act, which regulates the acquisition, use, and storage of such data. Individuals are granted rights under the law, including the ability to see their own data and have any mistakes in that data corrected upon request.
As the Election Commission is a government organisation with responsibility for overseeing and conducting elections in Malaysia, its data is exempt from the provisions of the Personal Data Protection Act of 2010. The Election Commission processes voter information in a public capacity and hence is bound by a different set of rules than for-profit businesses.
The Election Commission is just one government agency that relies on the National Cyber Security Agency to make sure they’re protecting voter information and preventing hacking.
As the Personal Data Protection Act of 2010 does not apply to the stolen Electoral Commission data in the latest data breach, the Act was not broken. Fadzil, on the other hand, has taken measures to prevent further access to the website where the stolen information was posted.
Yet, the data leak is more significant than the Election Commission alone. Worryingly, ordinary Malaysians’ private information was also exposed. It should be made clear that this is not the first time this has happened, and nothing appears to have changed, regardless of how many millions of personal records are leaked or stolen. To paint you a picture of how bad it is, the following list is the occurrences in 2022 alone:
Date | Event |
December 30 | Maybank, Malaysia’s largest bank, suffered a data leak that affected 13 million account holders. The information was posted on an online database marketplace. A separate listing was also posted where the seller claimed to have the personal database of internet provider Unifi’s mobile customers. |
November 28 | A database of 487 million WhatsApp user mobile numbers, including 11 million Malaysian numbers, was reportedly for sale on a hacking community forum. The source said the leak included accounts from 84 countries. |
November 10 | Malaysia’s election regulator had its database hacked, with stolen data including registered voters’ MyKad numbers, full names, email addresses, passwords, home addresses, pictures, and identity card numbers. The data was sold for USD $2,000 to be paid in Bitcoin or Monero. |
November 5 | AirAsia, a Malaysian budget airline, was hit by a Daixin ransomware attack, jeopardising the personal information of five million passengers. |
October 25 | Around 2.6 million Carousell users from Malaysia and Singapore were affected by a data breach, where the hackers publicly posted users’ account creation dates, usernames, full names, email addresses, phone numbers, and more. The incident was caused by a bug in the system migration used by a third party to gain unauthorised access to the company’s database. |
September | Hackers claiming to be from a ‘grey hat’ cybersecurity organisation alleged that they had breached the civil servant e-payslip system (ePenyata Gaji) and accessed over a million rows of identities via the database. |
September | Malindo Air, now rebranded as Batik Air, experienced a data leak, with 45 million customers’ email addresses, dates of birth, addresses, passport numbers, and phone numbers being revealed online. |
August | Payment gateway iPay88 had customers’ card data compromised after a cybersecurity incident. The company initiated an investigation and brought in relevant experts to contain the issue. |
May | Millions of datasets belonging to the National Registration Department (NRD) were uploaded to the dark web, including personal data of Malaysians who had registered for identification cards between 2000 and 2018. |
Promises Made, Promises Broken?
It’s a refrain that we’ve all heard before: A company suffers a massive data breach, promises to do better, and then nothing happens. Despite the assurances and commitments made in the wake of such incidents, it seems that very little is actually done to hold these companies accountable for their failures.
Meanwhile, companies in other countries such as Australia, the UK, and South Korea have implemented robust data breach policies, which include fines and penalties for companies that fail to protect their customers’ data.
In Australia, companies are required by law to report any data breaches to the Office of the Australian Information Commissioner. Failure to do so can result in fines of up to AUD $2.1 million (approximately USD $1.5 million). Similarly, in the UK, companies can be fined up to 4% of their annual turnover if they fail to protect customer data, while South Korea has implemented strict data protection laws that require companies to notify customers immediately in the event of a breach.
These are a few honourable mentions of the corporations that have been fined heavily over the previous two years for numerous breaches:
- Summer 2021, retail giant Amazon was fined €746 million (USD $877 million) by Luxembourg officials for breaching GDPR. Amazon is said to be appealing the fine, stating that there was no data breach, and no customer data was exposed to any third party.
- September 2022, Instagram was fined USD $403 million by Ireland’s Data Protection Commissioner (DPC) for violating children’s privacy under GDPR. The long-running complaint concerned data belonging to minors, particularly phone numbers and email addresses. Instagram’s owner, Meta, plans to appeal against the decision, and the company disagrees with how the fine was calculated.
- July 2022, mobile communications giant T-Mobile announced that it would pay an aggregate of USD $350 million to settle a consolidated class action lawsuit following a data breach that occurred in early 2021, impacting an estimated 77 million people. The incident centred around “unauthorised access” to T-Mobile’s systems after a portion of customer data was listed for sale on a known cybercriminal forum. The company also committed to an aggregate incremental spend of USD $150 million for data security and related technology in 2022 and 2023.
- August 2021, Facebook-owned messaging service WhatsApp was fined €225 million (USD $255 million) for a series of GDPR cross-border data protection infringements in Ireland. The fine followed a lengthy investigation and enforcement process which began in 2018 and involved the Data Protection Commission’s proposed decision and sanctions being rejected by its counterpart European data protection regulators.
- December 2021, Meta, the owner of Facebook, was fined €265 million by the Irish data watchdog for a breach that exposed the data of over 500 million users. The Data Protection Commission found that Meta had breached two articles of the EU’s data protection laws after details of Facebook users worldwide were scraped from public profiles in 2018 and 2019. In addition to the fine, the DPC imposed a reprimand and an order requiring Meta to bring its processing into compliance by taking specified remedial actions within a timeframe.
- December 2021, Capital One agreed to pay USD $190 million to settle a class-action lawsuit filed against it by U.S. customers over a 2019 data breach that affected 100 million people. This settlement comes more than a year after the U.S. Office of the Comptroller of the Currency fined Capital One USD $80 million for the same breach.
Similarly, there have been hundreds of other cases where companies have been reprimanded and faced legal consequences for data breaches all over the world. However, it is also true that not all cases are reported, and some laws may not be strictly enforced. It ultimately depends on the country and its regulations.
In Malaysia in particular, the lack of accountability is deeply concerning, especially given the increasing prevalence of data breaches in the country and the potential harm that can be caused by the theft of sensitive personal information.
It’s time for Malaysia to take data breaches seriously and actually implement the penalties to ensure that companies are held accountable for their failures. Without meaningful consequences for these breaches, we can expect to see more of the same broken promises and inaction that have characterised the response to data breaches thus far.
The Root Causes of Malaysia’s Cybersecurity Struggles
Malaysia’s cybersecurity challenges have been attributed to various factors, including inadequate funding and resources, insufficient personnel training, and a lack of coordination and communication between commercial and governmental institutions. However, there are steps that organisations can take to prevent becoming the next victim of a data breach.
Two industry leaders in security solutions, Kaspersky and Qualys, have shared their insights on the matter and proposed potential remedies.
Kaspersky’s Chris Connell emphasised the value of staff training and education, noting that many data breaches are the result of staff members not being aware of the significance of taking preventative measures. By providing engaging and relevant education, organisations can reduce the likelihood of data breaches.
Qualys’ Debashish Jyotiprakash suggested a risk-based approach to cybersecurity, which involves quantifying risk across vulnerabilities, assets, and groupings of assets to better understand a company’s individual risk posture. Additionally, implementing a zero-trust security paradigm can help ensure the safety of data by treating all requests for access as malicious unless proven otherwise.
Both Connell and Jyotiprakash highlighted the importance of public-private partnerships and open lines of communication to share threat intelligence, collaborate on training, and work towards the common aim of stopping bad actors and protecting consumers.
Malaysia’s cybersecurity challenges may seem daunting but organisations can take action to protect themselves from data breaches. By investing in cybersecurity, providing staff training and education, and collaborating with public and private entities, organisations can bolster their cybersecurity posture and prevent becoming the next victim of a data breach.
Looking Ahead: The Urgent Need for Stronger Data Security Measures in Malaysia
It is indisputable that in today’s digital world, Malaysia faces increasing cyber dangers. Protecting the safety and independence of the country requires concerted efforts on the part of both the government and the people. Developing a competent workforce and maintaining the appropriate standards and best practices is essential to the success of the National Cyber Security Agency (NACSA), a key player in the fight against cyber threats. However, NACSA can only do its job if it is supported by a strong governance framework that provides the resources it needs.
There is an increasing need for Malaysia to take preventative measures to keep its cyberspace secure as the threat landscape evolves. For this to be successful on a national scale, everyone involved will need to work together. Maintaining the freedom of the internet while simultaneously safeguarding the nation’s ideals is a delicate balancing act.
The future importance of greater Malaysian cybersecurity measures is difficult to overestimate. Now more than ever, it’s critical that governments have the resources they need to keep up with evolving cyber threats and keep their populations secure as the digital revolution continues to gain momentum. Staying ahead of the curve in the digital age and protecting the nation’s cyberspace for future generations will need everyone’s concerted effort throughout the next five years and beyond.