A breach too far
Telcos should have acted swiftly with advice on what customers should do to protect themselves
MALAYSIA’s biggest data breach had happened, and, we did not even know it. It happened as early as 2012 and yet, neither the authorities nor users came forward. Some 50 million customers’ data allegedly provided to telecommunications companies are being traded for bitcoins. The leak first surfaced when an unidentified person tried to auction millions of Malaysians’ personal data, ranging from phone and MyKad numbers, to addresses and other personal details in the Lowyat website. It appears that the data were illegally obtained from the telcos’ database. To date, none of the alleged telcos would say anything except that they are working closely with MCMC and the police.
But, more should have been done by the telcos and others, in whose custody the data were entrusted. A rudimentary rule in crisis management is to acknowledge the breach with an apology. No one can deny that such a phenomenal breach is a crisis of humongous proportion. It appears that the telcos are neither concerned about their reputation, nor the safety of their customers. As socially responsible companies, the telcos should have acted swiftly with speedfire advice on what customers should do to protect themselves against identity theft. If it is really true that the breach occurred as early as 2012, the companies are five years too late. It is perhaps because the telcos take comfort in the fact that there is no law in place requiring data users to notify the authorities when they first become aware of the breach. Given the scale of the data stolen, Malaysians are understandably troubled. It is already difficult to deal with someone shadowing us, what more a doppelganger twin stranger.
We hope the Personal Data Protection (PDP) Commissioner is looking at hauling the company and its directors to court. The Personal Data Protection Act (PDPA), which came into effect in 2013, has given Malaysian companies enough time to emplace all the systems and processes required by law. It is time for the PDP commissioner to toughen enforcement action. After all, it is the interest of the people that the PDP commissioner should be protecting, not that of the companies. It appears that the first PDPA enforcement action was taken in May against a private college for processing personal data without a certificate of registration issued by the PDP commissioner. That is a good four years after the PDPA came into effect. The PDPA cannot be used to prosecute breaches prior to 2013, but what about the breaches that occurred after the act came into force? Telco customers need answers. Are the authorities being too kind to the corporate data users at the expense of consumers? Or do the laws and regulations lack the bite? By being compelled to sign off our personal data, we surrender invisible power to commercial enterprises. After profiting from us, the telcos should not make us lose our identities as well. If they do, they must be made to pay a heavy price. Making us lose our identities is a breach too far.
After profiting from us, the telcos should not make us lose our identities as well. If they do, they must be made to pay a heavy price.