Data leaks: PDPA doesn’t cover govt-related data, govt urged to buck up

19 May 2022 08:30am
Screenshots of alleged databases from National Registration Department's MyIdentity system and Election committee's website.
Screenshots of alleged databases from National Registration Department's MyIdentity system and Election committee's website.

SHAH ALAM: As the news of Malaysian’s personal data being sold online for USD10,000 (about RM44,000) broke yesterday, the question of how secure are our data lingers.

As Sinar Daily digs further, we discovered that the Personal Data Protection Act (PDPA) in the country only applies to data relating to non-governmental transactions.

It does not apply to data processed by the government.

A source well versed in the PDPA said that the Act could only be used to take action should the personal data be used for commercial purposes or personal transactions, but it has no control if the leak was within the governmental agencies.

Commenting on this, tech policy practitioner Maryam Lee said that massive data leaks involving almost the entirety of the adult Malaysian population like this, allegedly from government servers and systems, could be likened to the government exposing the public to actual harm.

Since PDPA does not include data managed by government entities, she said citizens have no way of demanding accountability for the harms that occurred due to their failure to protect the data.

“In the PDPA, we have the right to be notified if there has been a breach of data. But because the law doesn’t apply to government entities, they don’t have an obligation to notify us of the leak.

Related Articles:

“Our data is us, they represent us in the digital space to perform digital transactions on our behalf.

“The way the government should treat our data should be the same way that they treat us as citizens: protect our general welfare and wellbeing, including our fundamental human right to privacy,” she told Sinar Daily.

When asked how to stop the data breaches, Maryam said technological problems were best solved with technological solutions but the government must first recognise that individuals were the sole owners of their own data

“The ownership of data should not be with any third party, public or private entities.

“Secondly, there should be a way for citizens to transparently protect our data at the click of a button. Provide options because there are currently no technological protection solutions.

“This would be the long-term solution. Laws and legislation don’t protect us enough in a fast-paced digital world,” she added.

Maryam said there should be a legislation stating that technology solutions providers and administrators must protect users’ privacy by design.

Meanwhile, former Suhakam commissioner Jerald Joseph said the government should not take the matter lightly and reevaluate the IT infrastructure that stored the data.

“Audit should be conducted to check whether our system was secured, whether the standard of our IT infrastructure is up to par. If there are loopholes, it needs to be fixed.

“It is a serious offence, and authorities need to investigate how the data was leaked, whether the security was breached, it was physically stolen or failure in the system,” he told Sinar Daily.

If the data was handled by third party agencies hired by the government, he said an independent body was needed to monitor the implementation of the critical infrastructure (database), and due diligence should be conducted to ensure that the companies passed the security checks and tests.

Jerald said that a transparent tender process should be done so that only competent companies have access to such sensitive data, and it should not be awarded to cronies.

He said the personal data were meant for the administrative system of the country and should be secured.

“In this new world we live in, data has become a gold mine, especially for business and politics.

“Businesses could exploit these data for profits and it could also be used by politicians for their own benefits,” he said.

Cybersecurity expert Professor Dr Zarina Shukur said it was crucial for some sort of protection to be put into effect to avoid data leakage and emphasised that penalties should be heftier.

“The government needs to strengthen the system to avoid the same thing from recurring.

“In Europe, the system has been upgraded to the point that it is very difficult for anyone to access their personal data, so the same thing should be applied in Malaysia,” she said.

She said that there were no clear punishments or penalties imposed on the perpetrators who sold these data, which needs to change.

She also emphasised that people are more likely to get scammed with the widespread sale of personal data.

At the moment, several agencies such as the police, Malaysian Communications and Multimedia Commission and Department of Personal Data Protection deal with crimes related to personal data, and the jurisdiction falls based on the crimes committed.

Earlier, it was reported that a potential data breach at two Malaysian government agencies had occured when an individual claimed to have sold personal data of over 22 million Malaysians on an online forum for USD10,000 (about RM44,000).

The seller claimed to be the same party behind last year’s sale of personal data belonging to four million Malaysians.

This time, the first database on sale allegedly contained 22.5 million records obtained from the National Registration Department’s (NRD) MyIdentity system.

The seller claimed that the database on sale entailed information such as full name, IC, mobile number, complete address, gender, race, religion and the photo in the IC for the entire adult population in Malaysia born between 1940 to 2004.

Aside from that, the individual also claimed that data from the Election Commission website was also up for sale.

Several technology websites reported that Home Minister Datuk Seri Hamzah Zainudin’s details were also said to have been included in the leaked dataset, which acted as proof that the seller allegedly had legit data to be sold.

Commenting on the issue, Hamzah said the ministry was conducting a thorough probe into the leaked data claims, and the initial investigation revealed there was no solid proof that the leaked data were obtained from the NRD’s database.

In a similar case last year, he said the ministry managed to prove that the data was not from NRD per se but from third parties working with the department.

Hamzah admitted there was a need for NRD to revise their standard operating procedure on the need to reveal the information to third parties.

Commercial Crime Investigation Department director Datuk Mohd Kamarudin Md Din confirmed the department received a police report on the matter and was being investigated.

Last year, a similar attempt was made allegedly by the same individual to sell the NRD database that contained four million Malaysians’ personal details and information from the Inland Revenue Board website.