A lawmaker has criticised CyberSecurity Malaysia for its slow response to a report of a major personal data breach last month involving the International Trade and Industry Ministry’s (Miti) Public-private Partnership Covid-19 Industry Immunisation (Pikas) programme.
Speaking to Malaysiakini, Lembah Pantai MP Fahmi Fadzil noted that while the leak was first reported by technologist Suresh Ramasamy on May 22, the government agency only responded to the report five days later on May 27.
He labelled the response time as “absolutely unacceptable”, adding that the appropriate duration should be within 24 hours.
“As a lawmaker, the first thing I think that CyberSecurity Malaysia needs to do is give an explanation (on) why it took them five days to respond.
“Were they inundated with cases perhaps at that particular time of the month? Do they need more resources?
“Do they need Parliament to request additional funds for them? They have to come clean on this,” Fahmi (above) said.
People deserve explanation
This was echoed by Bandar Utama assemblyperson Jamaliah Jamaluddin who felt that the government should not keep mum on the matter.
"If a government is serious in serving the nation, by now, the ministry department or related authorities would have come out with a statement explaining the incident.
"The statement (should include) what are the actions that will be taken to address this issue, what are the precautionary measures that will be implemented in the future - either make strict new initiatives, policy or law to avoid the repetition of similar incidents,” she told Malaysiakini.
Jamaliah further said even if the news is inaccurate, the authorities should clarify the matter.
"However, nothing as such has happened, just silence. I wonder how this government is going to gain the trust of its people if they can’t even protect the basic database of its citizens?" she added.
Suresh, who has worked on cybersecurity with several telecommunication firms, first reported the leak on his LinkedIn page.
According to him, the personal data involved details of employees who registered under the Pikas scheme to obtain their Covid-19 vaccinations.
The details, which include identity card numbers and phone numbers, were stored in Microsoft Excel files and hosted on the vaccination programme’s website.
Fahmi expressed that if the data breach allegation concerns Miti in particular, the minister in charge or relevant department head must explain how the alleged leak took place.
"Who is responsible? What are the investigations that have been done to try and understand the situation? Was data leaked as alleged by this cyber security expert?" he asked.
A matter of safety
The PKR parliamentarian pointed out the situation has created doubt among the people to trust the government with their personal data.
"Not only does this erode the trust in government agencies to protect and keep safe the personal data of those they are in touch with.
"This makes it even harder for us lawmakers to continue to believe that the status quo is sufficient to protect and safeguard the data of Malaysians and non-Malaysians, if they have any interaction with government agencies," Fahmi added.
He went on to call for a review of the Personal Data Protection Act 2010 in order to make government agencies and department heads accountable for lapses in judgement and similar breaches.
“We cannot have what seems to be a culture of immunity or a lack of responsibility,” he said, before citing his previous 2018 civil suit against the Malaysian Communications and Multimedia Commission (MCMC) and Nuemera (M) Sdn Bhd for its alleged failure to protect 46.2 million personal data in 2014.
Additionally, Fahmi called for a parliamentary select committee to look into the matter and offer recommendations as soon as possible.
According to a report by health news website CodeBlue, Suresh filed a complaint with CyberSecurity Malaysia - an agency under the Communications and Multimedia Ministry - on May 22.
CyberSecurity Malaysia wrote back to Suresh on May 27 to state "the content you reported to us is no longer available. We hope this is of help and with this, we shall close the case".
This latest leak joins numerous others over the last year - with the more recent example being the alleged leak of Putrajaya's MyIdentity database earlier in May. - Mkini
No comments:
Post a Comment
Note: Only a member of this blog may post a comment.