iPay88 breach: Is Malaysia losing the data privacy protection game?

• Malaysian payment gateway platform iPay88 admitted last week that they were the victim of a data breach.
• The announcement raised alarms among many, considering that iPay88 is one of the biggest point-of-sale solutions providers in the region.
• The payment methods affected include just online transactions via a credit, debit or prepaid card, excluding other points of payments.
• The country’s central bank is currently holding a forensic investigation on the payment gateway platform.

A Malaysian payment gateway platform iPay88 came forward last week to admit that they were the victim of a “cybersecurity incident” that occurred in May this year. For context, iPay88 is one of the biggest point-of-sale solutions providers in the region and a notification of breach, months after the incident actually occurred, had certainly stirred panic among many, to a point that the country’s central bank initiated a forensic investigation on the company.

Now, for a country like Malaysia, a cyberattack may not be so much of a commonplace (at least in the public eye) but a data breach definitely is. Like the iPay88 breach, most incidents would be made known eventually, by the media, if not by other relevant parties. Unfortunately though, recent occurrence has signaled that nothing much is being done after a breach is brought to light. 

The many incidents before iPay88 breach 

Let’s go back to April this year when Malaysians were given a rude awakening, following the revelation of the personal data of 22.5 million citizens born between 1940 and 2004, ranging from their full names to identification numbers, home addresses, phone numbers and ID photos. All of which were stolen from government servers and sold on the dark web for a reported price of just US$10,000.

Local tech portal Amanz had initially reported that a database allegedly from the National Registration Department (NRD) about 160GB in size, is just an expanded database compared to the one the hacker sold in September last year, which was only data of up to the year 1998. For context, the April revelation is not the first time involving a breach with the NRD.  Last year, a database of about four million Malaysians from the NRD also made its way to forums on the dark web and was sold on it.

When the first data leak was discovered in September last year, it allegedly involved the NRD database of people born between 1979 and 1998, and was being sold for 0.2 BTC (RM35,350). In both incidents, it was claimed that the data was siphoned from the NRD through the MyIdentity API (application programming interface). MyIdentity is a centralized data-sharing platform that is used by various government agencies. 

The data that was made public by the hacker is easily attainable by simply keying in a portion of a valid ID number. Users then could gain access to everything from names and addresses to voting constituencies and student loans, suggesting that data leaks were not confined to servers managed by the national registration department but also that of the election commission and financial agencies.

What is worse is that the now-defunct website offered more in-depth data for a price, and even offered to help flush personal information from the database for a US$99 fee. Certainly, the two aforementioned incidents are not isolated cases when it comes to data security breaches faced by Malaysians. The stark reality however, is the fact that the government had been largely silent about the hacks. Meanwhile, a couple of ministers have actively dismissed concerns of lax data security in the country, whenever related issues were raised in Parliament.

Has the recent iPay88 breach incident alarmed the authorities enough?

When the leak from NRD were brought to light earlier this year, Malaysia’s Home Minister Hamzah Zainudin conveniently shifted the blame away from the country’s registration department and instead pointed to “several agencies” like telco companies, financial institutions and other agencies as being the source of the leak. Hamzah even emphasized that there was a mechanism in place which could prove that the leaked information did not come from the NRD.

As of Friday last week, the Malaysian Communications and Multimedia Commission (MCMC), the Personal Data Protection Department (PDPD) and CyberSecurity Malaysia (CSM) said they were looking into the matter and have met with iPay88 representatives. Even the Communications and Multimedia Ministry said they will take immediate action regarding the data breach that hit the  online payment service provider.

Coincidentally, on Monday, Malaysia’s PDPD took the opportunity to reveal that there have been approximately 3,699 reports of personal data breach in Malaysia since 2017, according to the director of the department Mazmalek Mohamad. He told a local newspaper that the leak of personal details happens commonly when people register for things online — without emphasizing on the severity of the situation in the country when it comes to data breaches.

Currently, there are several bodies that oversee the use of data in Malaysia, including how it is stored and protected. While there are laws in Malaysia, such as the Personal Data Protection Act 2010, a recent report by The Star highlighted that the Personal Data Protection Department (PDPD), an agency under the government’s Communications and Multimedia Ministry is not living up to its purpose.

A report this year by cybersecurity company Surfshark proves that as it placed Malaysia as the eleventh most breached country in the second quarter of 2022. The study analyzed millions of breached accounts from April through June, 2022, which showed more than 665,200 Malaysians have been breached during this period, recording a growth of 733% in the last quarter alone.

Frankly, most organizations and governments around the world would be scrambling whenever a data breach occurs, but the Malaysian government seems to have carried a calm demeanor when handling such matters — signaling either they have it all under control or the administration is pretty laxed when it comes to such cybersecurity incidents. 

---

---

---

---