Experts: Laws, greater vigilance sorely needed to curb data breach


Source: Free Malaysia Today

PETALING JAYA: The founder of tech portal Vijandren Ramadass has lamented the lack of laws in Malaysia that outline what organisations should do in the event of a data breach.

The European Union, for instance, is drafting a general data protection regulation.

The United States already has laws that require companies to notify those affected by their data breaches, a report in Today Online said.

In October last year, Vijandren uncovered a major data leak in Malaysia said to have affected almost every Malaysian and possibly millions of tourists.

He had discovered the leak when a user tried to sell the data on the portal’s forum.

The leaked data, which cybersecurity experts have said was extensive enough to allow criminals to create fraudulent identities to make online purchases, included lists of mobile phone numbers, identification card numbers, home addresses, and SIM card data of 46.2 million customers.

It also contained personal data from some medical associations and a jobs portal.

The Malaysian Communications and Multimedia Commission (MCMC) had said it had identified the possible sources of the massive personal data breach.

Last month, the portal once again discovered that personal details of over 200,000 Malaysian organ donors and their next of kin have been leaked, with the data available online for over a year.

Today Online quoted cyber security experts as saying that the breaches likely stemmed from the use of poor cyber security tools that did not offer sufficient protection against increasingly sophisticated threats.

They warned that with cyber breaches happening worldwide on a daily basis and online threats becoming harder to detect, any organisation or individual could be vulnerable.

In Malaysia, any person found guilty of selling personal data can be fined up to RM500,000 or jailed for a maximum of three years or both under the Personal Data Protection Act.

The legislation was enacted in 2010 to protect personal data of Malaysians from being misused.

MCMC also has a general consumer Code of Practice for the communications and multimedia industry, which states the measures service providers should take to provide adequate security for personal data.

However, Foo Siang-tse, the managing director for Quann Asia Pacific, a cyber security services provider, said data protection laws could only provide the necessary frameworks and requirements for compliance.

“The implementation of cyber-security measures, on the other hand, is far more challenging.

“Cyber defenders must be vigilant all the time while hackers only need to be successful once. This is a challenge for many countries, and not just Malaysia,” Foo said.

Experts say many factors contribute to data breaches. For example, it could be from a compromised laptop or server, or someone extracting information due to lack of data protection procedures in an organisation.

Even online file storage and email services like Dropbox and Yahoo were compromised recently.

“If the data was stored in any of these online services, then it could have been easily breached by accessing these accounts with stolen credentials,” Vijandren was quoted as saying.

Foo urged organisations to work with an experienced cyber security partner.

“Employees must be educated on current cyber security threats and how they should protect themselves and their organisations. These include keeping passwords secure and not clicking on suspicious links or files,” he said.

Last week, PKR communications director Fahmi Fadzil filed a civil suit against two parties over the massive data breach involving more than 46 million mobile subscribers in Malaysia.

The two parties are MCMC and Nuemara (M) Sdn Bhd, the company managing the Public Cellular Blocking Service (PCBS).

“The civil suit is for failing to guarantee the safety of personal information of the mobile users.

“It involves 42 million users. That involves almost all citizens and foreigners living in Malaysia.”

Fahmi said the incident took place in 2014 but no one had yet taken responsibility for it, nor had anyone been detained over the leak.