What’s going on with cyber security in Malaysia?

• TM faced another data breach impacting Unifi customers’ personal data.
• Malaysia reported daily 84M cyberattacks in Q4 2022.
• Upcoming laws aim to boost Malaysia’s cybersecurity framework.

While Malaysia has emerged as a dynamic player in the realm of digital transformation, it’s far from perfect when it comes to handling cyber security incidents. Despite its robust cybersecurity measures, the country has faced challenges securing its vast digital landscape.

TM faces another data breach

Telekom Malaysia (TM) recently confirmed a data breach involving historical Unifi customers’ personal information, including names, national identification, passport numbers, and contact details. However, the company stated that no financial information was affected.

“The company confirms that the breach has been contained and proactive steps have been taken to protect the data across its platforms. It has sent out notifications to customers informing them of the data breach and to be wary of phishing tactics including online scams, suspicious links and unsolicited phone calls,” the company said in a statement.

TM reported the incident to relevant authorities, including the National Cyber Coordination and Command Centre, Department of Privacy and Data Protection, and the Malaysian Communications and Multimedia Commission. It assured customers that its Unifi services remain fully operational without impacting its users.

This was not TM’s first data breach; a similar incident occurred just a few months ago, impacting the contact information of 250,248 Unifi Mobile customers. The affected individuals and small to medium enterprises were notified promptly, and the company took steps to minimize the potential impact. Those who did not receive any notification were not impacted.

Back then, TM vowed to strengthen its data security framework, policies, systems, and processes, benchmarking them against Bank Negara Malaysia’s Risk Management in Technology standard and ISO27001, as well as other global standards, to prevent such occurrences.

Such incidents have sparked questions about Malaysia’s approach to minimizing cyberattacks. New Straits Times reported that Malaysia experienced an average of 84 million cyberattacks every day during the fourth quarter of last year (4Q 2022), according to global cybersecurity solutions provider Fortinet.

Fortinet’s Southeast Asia and Hong Kong vice-president, Peerapong Jongvibool, noted that the attacks included viruses, botnets, and exploits detected by FortiGuard Labs’ cybersecurity solutions, ranking Malaysia among the most vulnerable locations in the region.

According to FortiGuard Labs, Malaysian cyber threats in the fourth quarter of 2022 included 61.1 million virus detections, 50.2 million botnet attacks, and 7.5 billion exploit detections.

Furthermore, Malaysia fell victim to multiple cyberattacks last year, including data theft from a national registry and a payment gateway data breach. A group known as the “grey hat cyber security organization” broke into a payslip system, extracting nearly two million payslips and tax forms, stealing up to 188.75 gigabytes of data, and highlighting system vulnerabilities.

Such cyberattacks reveal that many Malaysian organizations lack proper cybersecurity measures, leaving them vulnerable to malware, ransomware, and phishing threats. Given the significant financial risks to enterprise value, cybersecurity is rightly seen as a governance issue and an indicator of management quality.

Enhancing cyber security governance in Malaysia

The issue hinges on understanding cybersecurity in the environment, social, and governance framework. However, confusion arises due to the presence of two cybersecurity agencies, leaving many unclear about who handles what.

But here’s a little breakdown: Two central bodies govern cybersecurity in Malaysia: the National Cyber Security Agency (NASCA) and CyberSecurity Malaysia (CSM). NASCA, instituted in 2017, is entrusted with bolstering Malaysia’s cyber-resilience by consolidating the country’s top resources and expertise. The agency is also involved in formulating cybersecurity policies, safeguarding critical infrastructures, and leading awareness campaigns.

CSM, established as a governmental agency in 2007, fosters a secure cyber ecosystem through quality services, cyber knowledge, and nurturing talent. Often the first point of contact for regional cyber incidents, CSM consistently issues advisories and encourages preventive measures for cyber safety.

Both NASCA and CSM recognize the country’s limitations in enforcing data breach laws, particularly the lack of legal requirement for organizations to report data breaches or cyber incidents. This issue has been repeatedly stressed as a primary concern in the cybersecurity sphere. The hope is that an upcoming cybersecurity bill will encourage stricter adherence to cyber safety protocols and improve overall cybersecurity in Malaysia.

There’s a noticeable lack of tangible progress despite extensive discussions about Malaysian cybersecurity laws. While Malaysia was among the early adopters of a data protection act, the country has struggled to keep pace with the likes of Singapore, mainly due to differences in implementation and enforcement.

When data leaks occur, public attention generally shifts towards Cyber Security Malaysia (CSM). However, it’s crucial to recognize that despite possessing the technical know-how and infrastructure to handle these incidents, CSM lacks the legislative authority of the Personal Data Protection Department (PDPD).

The existing Personal Data Protection Act (PDPA) is becoming outdated, covering only commercial transactions. Compared to comprehensive frameworks like the General Data Protection Regulation, which is not confined to commercial transactions, it falls short.

Nevertheless, there is a glimmer of hope. The revised PDPA, expected to be tabled this year, along with an Act on cybersecurity, could establish a much-needed baseline and framework for cybersecurity in Malaysia. The effectiveness of these potential measures will ultimately depend on their enforcement.

The Prime Minister of Malaysia himself has stressed that  “there will be no compromise on national security, including in the digital domain and cyber eco-system.” The Prime Minister also stated that NACSA, which is under the National Security Council (MKN), will assume the main responsibility of mobilizing efforts across various government entities. The bill will provide NACSA clear legal authority to regulate and enforce laws related to cyber security and improve the effectiveness of its functions.

Recent cyber security incidents and their impact in Malaysia

Having understood the country’s cybersecurity challenges, let’s look at some other critical cybersecurity incidents in Malaysia that occurred recently.

Malaysian Prudential companies impacted by global MOVEit cyber onslaught

Prudential Assurance Malaysia Bhd (PAMB) and Prudential BSN Takaful Bhd (PruBSN) found themselves among the victims of the global MOVEit data-theft attack, which exploited a zero-day vulnerability. Immediately after the incident, both insurance firms took rigorous steps to isolate the compromised server and assembled an incident response team. This team launched an extensive investigation and reported the matter to the concerned authorities.

The attack may have compromised lots of personal data belonging to agents and customers, including names, contact details, national ID numbers, and banking details. In light of this, there’s a looming risk of unauthorized transactions. Nevertheless, both PAMB and PruBSN remain dedicated to continuously enhancing their defense mechanisms, as demonstrated by their quick response to the vulnerability in the MOVEit software.

AirAsia hit by ransomware attack

A security loophole allowed hackers to penetrate the Air Asia system, granting them access to sensitive employee and passenger data. The hackers later released this information online in two separate files in an incident known as the Air Asia ransomware attack of November 23, 2022. The attack exposed the personal information of about five million individuals, including customers and employees.

The hackers shared one file containing passenger IDs, full names, and booking IDs, while the other included various employee data. Despite negotiations with the hackers, Air Asia refused to pay the demanded ransom.

An initial probe points to an illegal server intrusion at Air Asia on November 12, 2022 as the cause. The hackers exploited a security lapse, accessed crucial staff and passenger data, and began disseminating it online.

iPay88 encounters a security breach

iPay88, a well-known payment gateway, suffered a cyberattack that mainly impacted online card data transactions. The intrusion, attributed to a sophisticated and unidentified party, focused explicitly on online card data, leaving other transaction methods unaffected.

Due to its crucial role in facilitating financial transactions, iPay88 acknowledges its immense responsibility to protect card information. They’ve taken significant steps to contain the situation and secure all transactions through their gateway.

By July 20, the company had successfully completed all containment and remediation actions. Since then, there’s been no indication of further intrusions. iPay88 seems confident in the 3D Secure system’s protective measures, necessitating one-time pin verification for online transactions.

Moreover, iPay88 is actively partnering with other industry players to reduce risks from the incident. This collaborative approach underscores its commitment to mitigating the breach’s impact and fortifying its defenses against future incidents.

Practical approaches to preventing cyberattacks

Given the recent surge in cyberattacks and the increasing complexity of these threats, it is crucial to adopt robust and efficient approaches to prevent such occurrences.

1. Proactive defense measures

The first line of defense against cyber threats begins with proactive defense measures. Organizations should be constantly vigilant, monitoring their networks for unusual activity and regularly updating and patching their software. By staying ahead of potential threats, organizations can mitigate the damage caused by a cyberattack before it escalates. This strategy includes regularly conducting vulnerability assessments and penetration tests to identify potential weaknesses and rectify them promptly.

2. Building cyber resilience

Cyber resilience refers to an organization’s ability to deliver its intended outcome continuously despite adverse cyber events. It’s about developing an organization’s ability to withstand, recover, and learn from cyberattacks. Developing a comprehensive incident response plan is crucial to achieving cyber resilience. This plan should clearly define roles and responsibilities during a cyber incident, provide step-by-step procedures for identifying and addressing breaches, and incorporate regular training and simulation exercises to prepare employees.

3. Enhancing cybersecurity education and awareness

As cyber threats become increasingly sophisticated, so must the knowledge and awareness of employees. Regular training on recognizing potential threats such as phishing emails, implementing strong password policies, and understanding the importance of regularly updating software can significantly reduce an organization’s vulnerability to cyberattacks. Creating a culture of cybersecurity awareness requires ongoing communication, training, and leadership support.

By adopting these approaches and committing to continuous improvement and adaptation in the face of evolving threats, Malaysia can build a more resilient cyber ecosystem and significantly reduce the impact of cyberattacks on its digital landscape.

---

---

---

---