Details of 4.9 million students may have been hacked
KUALA LUMPUR: The Education Ministry’s online school examination analysis system, Sistem Analisis Peperiksaan Sekolah (SAPS), has been taken down.
This followed a tip-off to various media that the sapsnkra.moe.gov.my/ibubapa2/index.php site, introduced in July 2011 to centralise examination results from all states, was vulnerable to an attack called SQL Injection.
The technique is said to enable an attacker to retrieve student data stored on the site, which covers approximately 10,000 national primary and secondary schools.
The tip-off via e-mail alleged that 4.9 million students’ details, along with their parents’ MyK ad numbers, were compromised.
It also carried a large attachment containing multiple text files with what looked like student records.
The Education Ministry could not be reached for comments.
Cyber Security Malaysia senior vice-president Dr As wami Ariffin said this exploit was simple to take advantage of as the connection to the site was not secured.
“So, to mitigate, the system owner must reconfigure the system with a secure connection.
“This set-up is compulsory especially when it involves database at the back end,” he said.
Aswami said while Cyber Security Malaysia was a trusted government agency that would be able to assist in securing government websites, it was up to the system owner to engage its services.
“It is advisable for the system owner to conduct a web penetration test so that security weaknesses could be uncovered and reconfigured,” he said.
IT security services company LGMS founder C.F. Fong said websites would not be vulnerable to the SQL injection attack if vulnerability assessment and fixes were done properly.