Data breach opens up a can of worms
MALAYSIA is a nation of many contrasts. At the tail-end of the working week, we laid the foundation for the Digital Free Trade Zone (DFTZ) which signalled the country’s serious intention to be a player in the digital economy.
However, the headlines spelled out a different tale earlier in the week; about whether we are equipped to manage digital economy’s most precious resources: data.
On Oct 31, The Star reported on what is believed to be the biggest data breach Malaysia has ever seen, although the news was first broken by technology news portal LowYat. net on Oct 19 and Oct 30 after it discovered that someone was offering to sell huge databases of personal information on its online forum.
The personal details of 46.2 million subscriptions involving 14 mobile service providers were up for grabs. (If this sounds incredible because Malaysia’s population is only about 30 million, note that many of us have multiple subscriptions.)
Also on the market was the personal information from various medical groups, as well as JobStreet, the Malaysian-founded recruitment portal that has since been acquired by Australia’s SEEK Group.
The actual data breach is believed to have happened in 2014. The Malaysian Communications and Multimedia Commission and the Commercial Crimes Investigation Department are investigating, and on Wednesday, Communications and Multimedia Minister Datuk Seri Salleh Said Keruak told Parliament that this probe would be “completed soon”.
The massive data breach should be of grave concern to not only consumers but also the Government, as well as the companies and groups whose databases were breached.
So far, only JobStreet has publicly acknowledged the breach and reached out to its users. All the other parties have been silent in a strange “if we don’t acknowledge it, it didn’t happen” sort of way.
That’s because they’re not required to. Malaysia’s Personal Data Protection Act (PDPA) that was passed in 2010 only covers commercial transactions.
While it has robust requirements for the collection, storage, treatment and security of personal data, as well as consumer rights on how their data is collected and used, the PDPA’s glaring weakness is in what it doesn’t cover.
For one, it covers only commercial entities. The Government and state governments are exempt. While there are good reasons for this – the need to collect census data as well as national security – the PDPA would work better if it explicitly spells out which government agencies are exempt, for what purposes, and the process by which these agencies can ask for such data.
This is especially important because currently, there are two possibilities as to how those huge databases were made available for sale on the LowYat forum: 1) Somebody took the information from multiple data breaches and collated it all into one huge repository; or
2) A central repository that contained all this information was breached.
The other weakness is that there are no clauses requiring parties to admit their databases have been breached. In developed countries, personal data protection legislation requires companies to do so.
It is not about shaming the companies concerned, but about giving them a definitive course of action of what must be done when there is a data breach, including telling their users what they can do to minimise the damage, such as changing passwords or getting their banks to change their credit card numbers.
It is telling that the only company which did this is an Australian one. It is not unfair to hold Malaysia to the standards of developed economies because becoming a digital economy player means thinking globally.
And the only way to do that would be to “level-up” the PDPA to keep up with international standards.
The personal details of 46.2 million subscriptions involving 14 mobile service providers were up for grabs.