LAST weekend, Universiti Teknologi Mara issued a public apology for a data leak involving 12,000 students online. 

This latest incident, one in just a long string of data leaks in the past three years involving Malaysia, is alarming and shows a severe lack of seriousness on the part of those entrusted with our data, to safeguard it. 

While Malaysia has enacted several laws with regards to the security of our data, and routinely updates guidelines by agencies such as the Malaysian Communication and Multimedia Commission, and Cybersecurity Malaysia, the lackadaisical attitude in which our data are handled is appalling. 

In the past 36 months alone, we have seen data breaches by major institutions that supposedly boast state of the art facilities.

All three major Malaysian airlines – MAS, AirAsia and Batik Air have seen their information systems breached in the past years, in the case of MAS, a leak involving an IT vendor that spanned nine years.

AirAsia was hit by a ransomware attack involving five million accounts. Batik Air had 45 million records stolen from its databases. 

Consumers of entertainment were hit when Astro reported a data leak last year, while Malaysian Facebook and WhatsApp users were part of a global script-based hacking incident – where 11 million records were stolen. 

Our government agencies, including the Election Commission, too were breached, with names and MyKad numbers, while quite a few civil servants had their online payslips exposed. 

Even financial institutions, regarded as having top security safeguards in place weren’t spared – users of Maybank’s online banking and iPay88 were both told there were security incidents a couple of years back, while we hear other banks occasionally dealing with major hack attempts. 

To date, the public may not know what action, if any, has been taken on all the parties above.  

Educating individuals about data security and investing in end user protection is pointless if the data breach points happen on such ridiculously large scales. 

While some studies show up to 62% of Malaysians lack sufficient cybersecurity knowledge to safeguard themselves online, it pales in comparison to the sheer vast levels of leaks happening on a national scale.  

At the rate of the number of incidents happening, it would seem almost every Malaysian already has their data up for sale somewhere in cyberspace.      

What then is the point of the safeguards and security systems set up by the government? Our national installations are audited by our National Security Council annually, and many government agencies are required to have ISMS or similar security ratings.  

Private entities too, are required to submit to audits, for example, banks and financial institutions are routinely subjected to audits by Bank Negara Malaysia and the Securities Commission.

Some multinational banks with heavy dealings with the US dollar are additionally, sometimes, examined by the US Secret Service. 

If all these checks are in place, what has failed? 

Perhaps the lack of focus on the security of data itself rather than the safeguards put in place – on weak links in the storage or transport of data – transmission, caches, network storage, clouds, and data lakes.    

Maybe the fines and penalties for such breaches need to be increased and involve harsher sanctions like jail terms or suspension of licences to really affect parties who suffer breaches due to insufficient precautions. 

The data landscape today is complex with many touch points as users demand more data and ways to access it, and the threats involve state sponsored players, hacktivist groups and even kiddie scripters.  

Our technical capabilities of public and private entities need to be on par, and our laws up to date to deal with these new threats. 

Public confidence in our data handling needs to be restored, alongside the reputational loss we suffer collectively as a country. – May 10, 2023.

* Emmanuel Joseph firmly believes that Klang is the best place on Earth, and that motivated people can do far more good than any leader with motive.

* This is the opinion of the writer or publication and does not necessarily represent the views of The Malaysian Insight. Article may be edited for brevity and clarity.