Investigate data leaks, strengthen Personal Data Protection Act

5
98
Social media services - Graphic: Wikipedia

We, the undersigned civil society groups and concerned individuals, are alarmed by reports of 28 January 2018 of data leaks involving 220,000 registered organ donors.

Media reports say the data leak also included MyKad numbers, home addresses and telephone numbers of donors/pledgers and their next of kin.

In September 2017, an online forum lowyat.net reported the data leak involving 46.2m Malaysian mobile users – their personal details, MyKad numbers, addresses and mobile phone numbers. This massive data leak was said to have taken place from 2014 to 2016.

The leaks of such scale raise substantial concerns as to the extent of procedural flaws or security breaches in the system of data protection within government agencies and public sector corporations.

These breaches of security open wide the door for identity thefts and provide criminals with an ideal database to social-engineer the perfect phishing attack against individuals whose intimate personal data have been exposed. These data leaks will have a far-reaching impact on members of the public and the integrity of personal data held by government agencies and the private sector.

Despite the gravity of the situation, the Personal Data Protection Commission, the Malaysian Communications and Multimedia Commission and the police have failed to offer any substantial remedy or action plan to address the leaks.

In both the cases set out earlier, we regret to note that organisations such as lowyat.net or members of the public who exposed the issue have been censured, reprimanded and investigated. Concerned individuals who have been vigilant and had the courage to expose such security breaches should be applauded and not reprimanded.

READ MORE:  Respect privacy; no to monitoring of internet usage in Malaysia

The extent of the data leaks are clear indications of the urgency to enforce and if necessary reform the Personal Data Protection Act (PDPA) 2010 to safeguard personal data in the digital realm. The relevant code of practice must be put in place immediately to strengthen protections and to prevent or mitigate future breaches. Punitive action needs to be taken against government agencies, corporations, organisations or individuals who fail to secure users’ private information in their possession.

Given the latest incident, it is high time that the act is reviewed to cover federal and state governments and their agencies which collect, store and process users’ personal data.

It is no longer acceptable that the government and its agents are allowed to ignore the importance of data protection standards as they are also vulnerable to the threats of data breaches.

To this end, we, the undersigned civil society and concerned individuals call for:

  • a transparent investigation into the data leak
  • all digital transactions to have necessary and adequate security measures in place
  • a policy and standard to be introduced to all government agencies that handle personal data to ensure that the personal data processed are secure, safe and not open to abuse
  • relevant government agencies to be made accountable for data leaks in their departments or through their agents
  • all harassment and investigation of journalists and individuals exposing the data leaks to cease;
  • avenues (such as websites) to be introduced or allowed for individuals to check if their personal data had been compromised; and
  • reform of the Personal Data Protection Act 2010 to include the federal and state governments
READ MORE:  Respect privacy; no to monitoring of internet usage in Malaysia

Endorsed by:

Aliran
Amnesty International Malaysia
Centre for Independent Journalism
Civil Rights Committee of KL and Selangor Chinese Assembly Hall
Empower
Friends of Kota Damansara
Hakam
Lawyers for Liberty
North South Initiative
Pusat Komas
Saya Anak Bangsa Malaysia
Sinar Project
Suara Rakyat Malaysia (Suaram)
Teoh Beng Hock – Trust for Democracy

Concerned citizens:

Colin Charles
Gayathry Venkiteswaran
Keith Rozario
Lau Yi Leong

Thanks for dropping by! Apart from the views expressed in Aliran's media statements and the NGO statements we have endorsed, the opinions in other pieces published here do not necessarily reflect Aliran's official position.

Our voluntary writers work hard to keep these articles free for all to read. But we do need funds to support our struggle for Justice, Freedom and Solidarity. To maintain our editorial independence, we do not carry any advertisements; nor do we accept funding from dubious sources. If everyone reading this was to make a donation, our fundraising target for the year would be achieved within a week. So please consider making a donation of whatever amount you can afford to sustain Aliran. Please make payments to Persatuan Aliran Kesedaran Negara, CIMB Bank account number 8004240948.

And why not become an Aliran member or subscribe to our FREE newsletters.

5
Join the conversation

avatar
750
5 Comment threads
0 Thread replies
0 Followers
 
Most reacted comment
Hottest comment thread
1 Comment authors
PolitiScheiss+(a.k.a.+IT.Scheiss) Recent comment authors
  Subscribe  
newest oldest most voted
Notify of
PolitiScheiss+(a.k.a.+IT.Scheiss)
PolitiScheiss+(a.k.a.+IT.Scheiss)

The Internet, is a Wild West, where the one who is faster at the draw of their gun wins the duel. It is a domain where concepts of justice, fairness, morality, rights to enjoy the fruits of one’s creativity and labour mean nothing, but where the one who can beat the system without being detected wins, fair or foul.

Keep most of our key personal data off the Internet as much as possible. It is a cesspit, with a pariah culture and den of thieves. Keep your personal data away from the Internet.

http://itsheiss.blogspot.my/

PolitiScheiss+(a.k.a.+IT.Scheiss)
PolitiScheiss+(a.k.a.+IT.Scheiss)

As for my neighbour who was fooled into parting with her money by the caller pretending to be from the police and supposedly had tapped into the telephone line of a main police station in Kedah (or had manipulated digital core telecommunications system to appear to be from that police station).

Anyway, after her transfer of her third tranch of funds, it dawned on her that this was a scam and she lodged a police report, than went to the bank which froze these accounts pending court ruling of release of funds back to her.

It’s said that the scammers gave money to poor people and asked them to open bank accounts in their name and then give the ATM card and PIN number to the crooks to withdraw money up to the daily limit.

PolitiScheiss+(a.k.a.+IT.Scheiss)
PolitiScheiss+(a.k.a.+IT.Scheiss)

The Malaysiakini special report on this breach is dated 27 November 2017, about three and a half months ago and still not able to identify the culprits who leaked the key subscriber data, which besides each phone’s IMEI (International Mobile Equipment Identity) number – i.e. its unique “electronic serial number” used by the Public Cellular Blocking Service to block stolen phones from working, also included were each subscriber’s MyKAD or passport number, full name as in MyKAD or passport and so forth.

In 2014, I had four postpaid cellular accounts in my name and all the details of these showed up when I checked on the now inaccessible sayakenahack.com website.

More the sophisticated a system, the bigger the damage by crooks.

PolitiScheiss+(a.k.a.+IT.Scheiss)
PolitiScheiss+(a.k.a.+IT.Scheiss)

In addition, the leakage of key details of the 43.2 million cellular subscribers in Malaysia in mid-2014 comprised subscriber data submitted by the various cellular operators to be included in the Malaysian Central Equipment Identity Register (MCEIR), the MCMC’s centralised database, a part of its Public Cellular Blocking Service (PCBS) used to render mobile phones reported stolen through the website blockmyphone.my, from being use even with a different SIM card. The MCMC had outsourced operation of this service to a private company Nuemera Sdn Bhd and it is suspected that some of its employees had leaked the data.

Malaysiakini has a pretty comprehensive report on this breach.
https://www.malaysiakini.com/

PolitiScheiss+(a.k.a.+IT.Scheiss)
PolitiScheiss+(a.k.a.+IT.Scheiss)

I have received calls purportedly from TM Unifi, credit card companies and so forth telling me that my Unifi account was being used to run an illegal Internet gambling operation, my non-existent credit card tied to be MyKAD number and full name had several thousands overdue settlement and so forth and for me to reveal certain key codes to resolve the problem or whatever.

I almost fell for this trick the first time but now tell the caller that I’ll go and sort this out with TM, the bank which issues the credit card I don’t actually have, the police where applicable and then I hang up.

My neighbour fell for a scam call accusing her of money laundering and in panic she transferred about RM500K into 3 accounts named by the caller