Malaysian government

(Photo by Mohd RASFAN / AFP)

A hole or a mole in Malaysian government agencies as another database leaked?

Given the increasing number of data breaches around the world, more companies are increasing their data protection. However, some organizations and even governments continue to be targeted by cybercriminals.

There are probably two reasons for this. The first being the data being targeted is highly valuable, making the company a constant target by cybercriminals no matter how much they spend on protecting their data. The second reason is most likely because the organization or government agency still refuses to invest sufficiently in cybersecurity or still does not understand the full impact of a data breach.

Take the data breaches experienced by the Marriott group for example. The hotel chain just experienced its third data breach in four years. It has already been fined for its previous data breach, with hackers claiming to have stolen up to 20GB of sensitive data, including guests’ credit card information in the latest data breach.

The previous two data breaches were in 2014, which weren’t detected till 2018, and in 2020. All data breaches have involved guests’ records and personal information. The company has yet to share what cybersecurity measures it has put in place, leaving many to feel that it does not have a sufficient data protection plan in place as well.

Apart from the hotel chain, Malaysian government agencies have also been continuously targeted by cybercriminals. In the past two years alone, data from government agencies have made its way to the dark web several times, with the information being sold at cheap rates to those that intend to purchase them.

The latest data breach involves another Malaysian government agency. Reports show a hacker group claiming to identify vulnerabilities in the government salary data system for Malaysian civil servants. The organization claims that it has managed to breach the government system and obtain a significant amount of data through security vulnerabilities.

Acknowledging the incident, the Accountant General’s Department of Malaysia (JANM) has recently suspected that there may have been an attempt to trespass their system recently. As expected, the department has decided to strengthen the security infrastructure and mechanism of the system as a precaution, another reactive approach.

This is not the first-time personal data for a government agency was compromised. A few months earlier, personal data of 22.5 million Malaysians were leaked online as well. The list was sold on the dark web and contained personal data including names, identification records, and addresses of several politicians.

Once again, the agencies are only taking a reactive approach to their data breaches. The reality is though, cybercriminals are only going to continue to find vulnerabilities in the system and exploit them to their benefit.

Another problem in cybersecurity management in Malaysia is the agencies involved in handling the matter. While the investigations of data breaches are normally carried out by the police, the two main cybersecurity agencies in the country are focused more on the development of cybersecurity and not on investigating data breaches.

But even so, these two agencies need to ensure they are keeping a close eye on how government agencies are protecting their data. If a hacker can breach the national accounts department to get access to salary details, there is a possibility that other government agencies could also have vulnerabilities that are waiting to be exploited.

In fact, a recent cybersecurity report stated that Malaysia is the eleventh most breached country in the first half of 2022. Another report also stated that Malaysian organizations will continue to see increasing breaches and cyber incidents for the rest of the year.

To avoid and reduce such incidents, a proactive approach toward cybersecurity and data protection has to be in place. And this is not only for the government of Malaysia or the Marriot hotel group but for all organizations and agencies that feel their systems are secured enough and will only react when there is a breach.