WHAT is your response to RHB’s error in the issuance of e-statements sent via email to a number of customers?

This is not the first time. Various other data breaches by organisations in Malaysia have come and gone – buried without any trace or accountability by the organisations that suffered the breaches or caused the unauthorised release.

In simple terms, data breach may be described as the unauthorised release of secure private and confidential information to an unauthorised environment.

The people are tired of being taken for granted and have had enough. Organisations in Malaysia appear nonchalant and adopt this attitude that Malaysians will get over it and that we can’t do without them.

For example, in February 2018, a suit was filed by a politician against the MCMC and the company appointed by MCMC in 2014 to manage its public cellular blocking service for allegedly failing to protect the leakage of his personal data along with 46.2 million subscribers.

Nothing further developed from this suit, the improvements undertaken or what happened to the data.

Dear Minister, under the Personal Data Protection Act 2010 (PDPA 2010), which is under your jurisdiction, Clause 9 – security principle – imposes a duty on data users to put in place adequate security and indemnity measures to prevent the theft, misuse, unauthorised access, accidental disclosure, alteration or destruction of data under their care and that the data users have taken measures for ensuring the reliability, integrity and competence of personnel having access to the personal data.

Clause 8 – disclosure principle – prohibits data users from disclosing or making its data available to any third party without the consent of data subjects.

With the passing and the coming into force of the act on November 15, 2013, Malaysians thought that their data privacy would be safeguarded by the PDPA.

Apparently, this is only true on paper. Personal data as defined in the PDPA is any information collected or processed in connection to a commercial transaction by any equipment operating automatically (eg, ATM, computers) which is capable of identifying a person (or data subject).

The above definition includes information such as names, addresses, identification card/passport numbers, email addresses, telephone numbers, as well as banking details.

Until now, consumers have been willing to lend their data or have unknowingly given it away to get convenience or information in return.

Data privacy has become one of the defining issues in the past 10 years. Due to the proliferative nature and advances in technology, the data it produces and carries has enmeshed into our lives in ways that we now take for granted, thus raising the stakes for criminal elements to ‘acquire’ the same ‘illegally’ in whichever and whatever way possible.

If the data are misuse, the economic stakes and social consequences to the country are dire.

In a breach on one of the established banks on Wall Street in 2014, where 76 million households and 4 million small business accounts were affected, the source of the breach was eventually traced to a member of staff organising a charity run that was sponsored by the said bank.

Hackers infiltrated and obtained the password of this person and, through a series of manoeuvres, penetrated the bank’s system.

Before that and even up to now, banks were viewed as relatively safe from online assaults because of their investment in defences and trained security staff.

Most previous breaches at banks involved stealing personal identification numbers for ATM accounts, but not going in deep into the internal workings of a bank’s computer systems.

As minister, you are obliged and have a responsibility under the PDPA Act to initiate an investigation and act against the bank, if there is any wrongdoing on its part in complying with Clause 8 and 9 of the PDPA.

In 2018 and 2019, you fined seven or eight different parties in total under the PDPA for violation of the act.

So, it won’t be the first time that you will be enforcing the PDPA on offending organisations in Malaysia.

As for Bank Negara, in a statement on March 20, 2000, you issued a stern warning to employees of banking institutions to adhere to the secrecy provision under section 97(1) of the Banking and Financial Institutions Act 1989 (Bafia), whereby you reminded employees of licensed banking institutions to maintain the confidentiality of customers’ information.

Section 133(1) of the Financial Service Act (FSA), which replaced Bafia similarly stipulates that no person who has access to any document or information relating to the affairs or account of any customer of a financial institution, including the financial institution or any person who is or has been a director, officer or agent of the financial institution, shall disclose to another person such document or information.

With that, the duty of secrecy requiring a banker to keep information relating to a customer’s account confidential is statutorily codified in the statute governing bankers.

If Bank Negara is to recall, in 2018 a bank clerk and a politician were charged and jailed using Bafia for conspiring to disclosing banking information of four parties to unauthorised recipients.

Even though Bafia was repealed and replaced with the Financial Services Act in 2013, the act apparently was committed and the charge proffered prior to its repeal.

As you have maintained consistently and publicly, you have always reminded chief executive officers of banking institutions on the importance of their role in ensuring that customer confidentiality is maintained at all times. Are you planning to initiate an investigation into this?

To RHB, in your press release, you confirmed that e statements were indeed mailed to unintended recipients and error affected less than 0.5% of the bank’s total retail customer base in Malaysia. You assured your customers of their data safety.

However, it is not as simple as that. The bank has yet to or does it intend, to confirm the following:

• That all those unintended recipients are also customers of the bank and not a single mail was emailed to unintended recipients who are not your customers?
• What investigate process and confirmation that the bank has undertaken to verify that no `rogue’ email was unintentionally send out to them? 
• How does the bank assure their customers that the unintended recipients did not share or forward the email they received unintentionally from your bank to some rogue elements who would then use it to scam or hack into the accounts of those customers whose details were in those statements?
• That punitive measures would be, or have been, taken against the employee(s) and the third party who are found to have breached the secrecy provision?

As the bank is also a listed entity and subject to the Capital Markets Act and thus the supervision of the Securities Commission (SC), have you notified them on this breach within the stipulated time frame of 24 hours as specified by SC in their guidelines on managing cyber risks that was issued on October 31, 2016?

Clause 4.16 of the guidelines states that the entity must report to the SC on any detection of a cyber incident which may or have had an impact on the information assets or systems of the entity, on the day of the occurrence of the incident.

Just an apology is not enough. We realised we had enough and we have stopped listening. We believe only in deeds and acts and not in declarations.

I do not represent any group or customers of the bank but I believe what I wrote above epitomise the general feelings of almost every of the bank’s customers, who are powerless and voiceless in this recent breach by your bank.

It is possible that each of them will be living in perpetual fear for the rest of their lives not knowing when their personal data released without their authorisation, would be used against them by unknown scammers in the future.

Could this be the catalyst that we are looking from the authorities for a change in how organisations mistreat and mislead their customers on their erroneous way of protecting our personal data? A response from all parties would go a long way. – June 20, 2021.

* FLK reads The Malaysian Insight.

* This is the opinion of the writer or publication and does not necessarily represent the views of The Malaysian Insight. Article may be edited for brevity and clarity.