PERSONAL INFO OF UNIVERSITI MALAYA STAFF MAY BE OUT IN THE OPEN
Expert: Root cause of data breach must be probed
PETALING JAYA: Universiti Malaya (UM) has to investigate the root cause of the data breach if it’s true that its portals have been compromised according to a technology portal, says a cybersecurity specialist.
It was reported that the first part of the leaked data contained payslip details such as bank names and account numbers, which were matched to staff names, as well as MyKad and staff ID numbers.
The data breach has apparently come after the UM’s E-Pay portal was defaced on Thursday to display a protest message that included #NoRasis and #UndurVC before it was taken down and remains inaccessible.
“These hackers are like sleepers inside a server: they’re waiting for a trigger before exposing the owner,” said cybersecurity company LGMS director Fong Choong Fook.
The systems could have been compromised even before the UM E-Pay Cashless Payment and Records portal was defaced, he added.
UM had released a statement claiming that no data or information were compromised when the E-Pay portal was defaced, but soon after a tech portal reported that the varsity suffered a massive data breach.
Technology portal Lowyat.net on Friday night said that personal data of both UM academic and non-academic staff, including payslips and bank account details were leaked on an anonymous file-sharing site.
The second part included Employees Tax (IRB) and EPF numbers, department, branch location, position, salary, and up to 24,000 login IDs and hashed passwords believed to be from the E-Pay portal.
However, it was unable to confirm if the two incidents were related.
Fong said the university has to kick start a digital forensic investigation to weed out all the backdoors.
“Otherwise, if one server was compromised, it could also mean that multiple other servers were compromised as well,” he said.
“It shows that the organisation is lacking in-house procedures to keep its security intact.”
UM has yet to deny or confirm the Lowyat.net report on the data breach and has yet to release a statement on the matter.
But the varsity and the Personal Data Protection Department (JPDP) said they are aware of and are looking into the report.
A Malaysian Communications and Multimedia Commission (MCMC) spokesman said the regulatory body will only provide technical assistance upon request.
Meanwhile, the University of Malaya Student Union (UMSU) is seeking students’ help to shut down social media accounts belonging to the hacker claiming to have compromised the varsity’s portals.
In a Facebook post, it urged students to make a police report if they spotted the hacker’s accounts, as the university’s IT Department is closed for the weekend.
It also advised students to avoid logging in to UM websites or WiFi networks, and to change their email passwords.
The page also shared a screencap of a hacker’s Twitter account with the username MrX who posted links to what’s claimed to be the data of UM staff.
One Twitter account belonging to MrX has already been shut down, most likely after UMSU highlighted it.
A Facebook page with the same name claimed to be the hacker responsible for the purported attack and blamed UM for having poor security.
MrX also claimed more info will be leaked on the file-sharing site.