THE recent data breach in a government system was something bound to happen as Putrajaya had ignored several prior warnings, experts said.

Describing the current breach as a “national crisis”, they said things could get worse if the government fails to address the root cause of the problem and strengthen its data breach prevention measures.

Cybersecurity expert Professor Dr Selvakumar Manickam of University Sains Malaysia said Malaysia could experience more cyber attacks if the government does not take the matter seriously.

“Until and when the government enforcement agencies, that are responsible for online services, and all those related agencies like Cybersecurity Malaysia (CSM), National Cyber Security Agency (Nacsa), and so on, take this matter seriously, we will keep on seeing this (data breaches).

“We could see more and more of this happening in the coming years,” the senior lecturer and researcher at National Advanced IPv6 Centre told The Malaysian Insight.

Last Thursday, an unidentified group claimed it had managed to identify vulnerabilities within e-Penyata Gaji, the salary database for Malaysian civil servants, and obtained a significant amount of data.

This theft reportedly included full names, MyKad numbers, positions, departments, pay slip numbers, mobile phone numbers and email addresses.

Speaking to The Malaysian Insight earlier this year, these experts had warned that data of millions are at risk if Malaysia faces a cyberattack.

Early this year, it was alleged that the personal data of 22.5 million people, ranging from their full names to identification numbers, home addresses, contact and ID numbers were stolen from government servers and were sold on the dark web for US$10,000 (RM44,000).

In 2017, the data of more than 46 million mobile subscribers in Malaysia were leaked in a record data breach.As recently as July, it was reported that the Education Ministry’s e-operating system was hacked, with the hacker giving a friendly warning to the ministry to rectify the flaws in the system before others from “outside” broke in.

Selvakumar believes matters could get out of hand if no proper prevention steps are taken, saying government systems could possibly be ‘crippled’.

“What we are facing is bits and pieces. It is still on a small scale.”

“We have not seen anything major yet. If something happens on the big-scale - a full attack on government services - then they will be crippled. Nothing will move.”

“This is something waiting to happen. I believe in Murphy’s law, ‘if it can go wrong, it will definitely go wrong’,” he said.

Cybersecurity consultant Fong Chong Fook, meanwhile, described the data theft of government staff as a “national crisis” and could have big implications.

He said the data of government servants could be used for many other uses besides commercial purposes.

Fong said foreign governments also could take advantage of this data which could be ‘misused’.

“Data is basically useful intelligence for foreign governments as well, not just for its commercial value.”

“Foreign governments could use it to study who is who in the government as all their confidential details are there.”

“Foreign government agencies also can know how much our government staff get paid. Some of the VIP officials could also be prime targets for these foreign entities,” he said.

Government should be held responsible

Calling the Personal Data Protection Act (2010) outdated as it does not hold Putrajaya accountable for data breaches, Selvakumar said the government should be held responsible for the recent data leak.

“It goes back to the same thing, being complacent,” he said.

“No matter what we say or do, the people responsible, have to be taken to task or held responsible. If not this (data breach) is going to keep happening.”

“The Act does not hold the government responsible, so there is no accountability here.”

“There is no one for us to go to and say, ‘Hey they did this, our data is now out there. Can you take action?’.”

“No. We can’t,” Selvakumar added.

The senior lecturer added that the government should carry out a thorough analysis of their cyber resilience.

He said the government should not expect a return of interest (ROI) from such investments.

“It is probably going to be very expensive to carry out a thorough analysis of cyber resilience of our online systems,” Selvakumar said.

“This is not something you can look at for ROI. There is no ROI when we perform cyber resilience analysis, hardening systems and other things.”

“Should not expect ROI on something you have to do,” he said.

On Sunday, Communications and Multimedia Minister Annuar Musa said the government has a lead on the alleged data theft of civil servant e-payslips and that Nacsa will issue a statement soon.

Fong said the data breach of the government system is very concerning.

He said if the authorities do have a lead, they should look into where the data breach came from.

“They should also be transparent with their investigation,” Fong said.

“If they (government) have the heads up, then they should initiate an investigation to look where the data leak came from.”

“So far, out of so many cases of data leakages, we have never seen any solution. We have not seen the authorities identifying the source of the problem.”

“All of the time it is just denial.”

Pakatan Harapan information chief Fahmi Fadzil said Prime Minister Ismail Sabri Yaakob should immediately direct all ministries and heads of agencies to conduct a comprehensive cybersecurity audit.

He said Ismail needs to explain the breach to Parliament. – September 20, 2022.