MALAYSIA Tanah Tumpah Darahku


Friday, December 30, 2022

What action will Fahmi take over data breach?


The alleged data leak said to have compromised the personal details of nearly 13 million Malaysians is serious, though you would not think so from the lack of concern shown by the people.

Communications and digital minister Fahmi Fadzil said the leak involved a huge amount of information. Personal details such as login ID, full name, date of birth, address and identity card number were offered for sale on the internet.

On Christmas Day, a user called Nimori had posted an advertisement on a database-sharing online forum called “Breached”. He claimed that he was in possession of 3.5 million personal records from Astro, 1.8 million records from Maybank and 7.2 million records from the Election Commission.

Two weeks earlier, on Dec 10, a person who identified himself as “Dreamstime”, had posted a similar advertisement.

Both advertisements did not state an asking price.

Fahmi has instructed CyberSecurity Malaysia (CSM) and the personal data protection department (JPDP) to investigate and take action. So what action will they take? Will they fine the companies involved? Is this the first time that these companies have been involved in such a breach?

Will the companies contact each person whose data had been compromised? Will they tell the person whose data had been leaked to do a simple risk assessment? Will the companies tell the individuals involved of the possible harm that could befall them?

This is not the first serious data breach that has occurred, but was follow-up action taken in the previous occasions? Were the companies fined, the individuals involved prosecuted, or was it a case of things returning to normal and the companies involved not learning from their mistakes?

The personal data that has been stolen could be used by criminals to commit identity theft. Again, many Malaysians are not aware that this is a serious matter.

So what would you do if you were to receive a letter urging you to service your house loan and threatening the seizure of your house, but know that you have not obtained a loan?

How would you react if you were to go to the polling booth only to find that you are registered to vote in another state? Or that you had already voted earlier that morning? These actions have robbed you of your democratic right to vote.

Wouldn’t you be livid if you found that your account has been emptied because a “new” credit card in your name had been used on a spending spree?

These are some of the ways which the criminals can use your personal details.

When you think that a breach has occurred, it is important that you establish what personal details are involved. High-risk situations include the personal information of vulnerable people, or children.

Once it is known who has your personal data, then you may have to assess the risk involved. For instance, accidentally sending an email to a work colleague in another department has a lower risk than sending the same email to a complete stranger who does not belong to your organisation.

You may then have to evaluate if the breach has a serious impact on the lives of the people who were affected by the breach. For instance, with an IC number, full name, date of birth and address, your details could be used to apply for another credit card or loan.

What happens if some individuals have been affected by identity theft as a result of this breach? Will the individual be allowed to sue the EC or Maybank or Astro for the damage done?

It would be great if Fahmi could give some guidelines to prompt people into being more concerned about the data breach, and also suggest measures to protect themselves from similar occurrences in the future.

In the past, few Malaysians had heard again from the ministry about the action it took against the individuals involved. We cannot be allowed to be put in the dark again. - FMT

The views expressed are those of the writer and do not necessarily reflect those of MMKtT.

No comments:

Post a Comment

Note: Only a member of this blog may post a comment.