PETALING JAYA: The Government says it has fixed the loophole in the petrol subsidy website that allowed banking details of individuals to be revealed to the public.
The Ministry of Domestic Trade and Consumer Affairs said in a statement it had patched up the vulnerability within hours of being informed on Thursday and that the site has been re-open for use by the public.
"Referring to the technical issues concerning the official portal of Petrol Subsidy Programme, the ministry has taken immediate action to address the problem.
"At 1pm on Thursday, the technical issues have been successfully addressed, and the PSP portal has been re-activated with improvements on its system and data security aspects," it said.
The microsite, which went live on Oct 15, could potentially have exposed the details of 2.9 million people that the ministry had identified as belonging to the B40 group that qualify for fuel subsidies.
Local tech forum Lowyat.net had reported that once a person’s MyKad number is entered onto the site, it would reveal the name of the user’s bank, along with the last four digits of the account number.
However, when Lowyat.net looked at the underlying code – or source code, which can be easily viewed from any web browser – the full account number was visible.
Punish errant organisations
In the wake of this data leak, experts are calling for regulatory bodies to take punitive action against organisations that expose users’ personal data, making them vulnerable to scammers.
“In most countries, regulatory bodies define, manage, influence and control how data should or shouldn’t be used by any company or individual,” said enterprise information management vendor ASG Technologies general manager for Asia Pacific Praveen Kumar.
“Unless there is a commercial deterrent defined by regulatory bodies, the business case to invest in data governance, protection and management is not easily justifiable.”
Praveen added that as a result, most companies valued data and treated it as an asset to be merely monetised.
Malaysia ranks as the fifth-worst country in terms of protecting the personal data of its citizens.
Fong Choong Fook, director at cybersecurity company LGMS, said the security flaw was probably caused by the ministry rushing to launch the microsite.
“The bigger concern now is if someone could have used the website as a tool to steal information, just imagine what that can a person do with the details.
“Impersonating an authority figure such as a bank or police officer is a tactic often used by Macau scammers. The more information they have about a user, the more convincing they can be,” he said.
Fong added that the website developer should have encrypted the information.
“This is why I’m not surprised that Malaysia was ranked as one of the worst in personal data protection.
“Both private and public sectors are not fully aware of their responsibility to protect data,” he said.
Malaysia ranked poorly at data protection
A study by British tech website Comparitech on privacy and surveillance in 47 countries placed Malaysia as the fifth-worst country in terms of protecting the personal data of its citizens.
The worst was China followed by Russia, India and Thailand.
Fong said that there were not enough prosecutions to bring irresponsible organisations to justice.
“We hardly hear of any party being penalised when it comes to data leak or data loss. So overall, the entire ecosystem is poorly coordinated,” he said.
The report gave Malaysia a score of 2.64 out of five points based on several criteria, including privacy enforcement, data sharing, visual surveillance, identity cards and biometrics, and government access to data.
It further notes that currently only the Personal Data Protection Act 2010 (PDPA) protects the personal data of a person in the country.
“Also, our PDPA doesn’t apply to government agencies, so there is no way they can be held accountable if there is any data loss on their part,” said Fong.
He added that Malaysia should take a page out of the European Union’s General Data Protection Regulation (GDPR) to improve data privacy.
“The five best-performing countries in protecting the privacy of its citizens are European. The GDPR has made very clear the consequences of non-compliance, and the penalty is really heavy,” he said.
Ordinary folk suffer
Meanwhile, Praveen said the risks of not managing personal data carefully have greater consequences for the consumer and end-user than the enterprise using the information.
“As regulatory environments enact more stringent penalties, there would be a marked difference in how data is stored and analysed by most organisations,” he said.
Last year, the Malaysian Communications and Multimedia Commission (MCMC) terminated the contract of Nuemera (M) Sdn Bhd, which was linked to a massive data leak involving 46.2 million telco accounts in 2017.
Numera was contracted in 2014 by the MCMC to manage its Public Cellular Blocking Service (PCBS) to stop stolen phones from making calls, messaging or connecting to the Internet.
Earlier this month, Communications and Multimedia Minister Gobind Singh Deo told The Star that his ministry was looking at the GDPR as part of its move to amend PDPA.
“The GDPR has many provisions which are very important and helpful but we have to consider requirements that are unique to us.
“So, we’re going to look at the GDPR, the different recommendations that have been put forward by stakeholders, and come up with our own model to see what’s suitable for us to present here,” he had said.
Gobind added that amendments and improvement to the current Act would hopefully be presented to Parliament by the middle of next year.
In the meantime, Fong said there were many measures users could take to minimise the consequences of a data breach.
Steps you can take
“Change your password every now and then, choose a strong password, and you should not use the same password across different websites.
“These are some of the common practices individuals can adopt to protect themselves just in case there’s a data leak,” he said.
Praveen also reminded individuals to be responsible for the data they share, and to be aware of the kind of personal information they reveal to companies and through websites.
“Individuals should also avoid providing personal information to unknown sources.
“It is also important for people to clear the cache and history of their web browsers so that personal data does not get stored unknowingly.
“When using a connected device, people need to be careful about which WiFi networks they are connecting to and avoid phishing emails,” he said.
Phishing is the practice of fooling users into giving away confidential or sensitive data.
In a separate study conducted by US tech giant Microsoft Corp and IDC Asia/Pacific in June titled “Understanding Consumer Trust in Digital Services in Asia Pacific”, 41% of consumers in Malaysia said they feel that the government should take the lead in building trust, followed by technology companies and communities.
The study showed that only 24% of consumers in Malaysia believed their personal data would be treated in a trustworthy manner by organisations offering digital services.
In a statement that accompanied the study, CyberSecurity Malaysia chief executive officer Datuk Dr Amirudin Abdul Wahab said: “As our digital economy continues to grow manifold, it has also opened various risks. Data privacy remains a key concern, with both consumers and businesses being at risk of a data breach.”