The latest high-profile, sensitive data breach victim is the Malaysian Election Commission (EC) MySPR system database

A voter, with his marked ballot papers in hand, walks past the logo of the Election Commission printed on a booth as he prepares to cast his vote at a polling station in Kepala Batas, northern Penang state on March 8, 2008. Malaysians began voting March 8 in general elections expected to hand the ruling coalition another victory but with a reduced majority, as ethnic Chinese and Indians shift to the opposition. AFP PHOTO/TENGKU BAHAR (Photo by TENGKU BAHAR / AFP)

‘X’ marks the MySPR election database, found for sale online

  • The MySPR database of Malaysian electoral voters records of at least 800,000 users, has been found being sold online
  • A total of RM73 million (approx. US$5.83 million) will be allocated to strengthen cybersecurity in Malaysia
  • Malaysia was the 11th most data-breached country in the second quarter of 2022 

Data breaches are becoming increasingly common, and it seems like hardly a week goes by without another high-profile one hitting the headlines. The latest victim is the Malaysian Election Commission (EC) MySPR system database.

The data of more than 800,000 users, including pictures of selfies and the MyKad national ID, which was part of the system’s Electronic Know Your Customer (eKYC) implementation, was found in a much-pulicized online marketplace for databases.

The database, which also contains information on the entire electoral roll with details of 22 million voters, is being sold for around RM9,401 (US$2,000). However, the seller specifically requested for payment to be made via cryptocurrency.

This and other recent Malaysian data breaches raise serious concerns about the safety and security of the country’s information and data. It also raises questions about the country’s readiness to face future elections, when crucial personal data from official government sources can seemingly be found online easily — and for a paltry sum for such sensitive data, no less.

What is the MySPR system database?

The Malaysian Election Commission (EC) originally implemented the MySPR system to streamline and centralize the registration of voters in the country. The MySPR system is an online database that contains the personal information of all registered voters in Malaysia. 

The personal information of registered voters includes their name, IC number, date of birth, address, and contact information. The MySPR system is accessible to all citizens of Malaysia who are aged 18 and above. 

MySPR Daftar can be deemed obsolete with the implementation of automatic voter registration earlier this year, but this does not mean that EC has abandoned the system.

Malaysian citizens outside the country and eligible members of security forces and related frontline agencies that must be on duty during election day also need to use the system to apply for a postal vote. The MySPR system was created to improve the efficiency of the voter registration process in Malaysia. 

The latest high-profile, sensitive data breach victim is the Malaysian Election Commission (EC) MySPR system database

A volunteer for the opposition Malaysian Pan-Islamic Party (PAS) checks registration details at a voter’s list confirmation booth in the 2008 general elections. (Photo by TENGKU BAHAR / AFP)

Malaysia is trying to strengthen cybersecurity

The recent MySPR database leakage incident raised questions on whether the data protection laws in Malaysia are adequate. This news surprises many, as the Malaysian government has been relatively vocal about its efforts to protect the personal data of its citizens. 

In fact, it was shared during Budget 2023 that a total of RM73 million (US$5.83 million) will be allocated to strengthen cybersecurity in Malaysia, specifically in threat monitoring, detection, and reporting, and to develop the nation’s cyber forensic capabilities.

As part of the drive to combat cybercrime and scams, a National Scam Response Centre will also be set up involving the police, the central Bank Negara Malaysia, the National Anti-Financial Crime Centre, and financial institutions operating locally.

Recent data breaches in Malaysia

This is not the first time a data breach has hit the Malaysian government, by a long shot. Among the recent ones is a data leak where the personal financial data of 22 million Malaysians from the National Registration Department were sold on the dark web.

Nearly two million payslips and tax forms in PDF format, amounting to 188.75 gigabytes from the Penyata Gaji (ePaySlip) system, were extracted by a group of grey hat hackers. According to cybersecurity company Surfshark, Malaysia was the 11th most data-breached country in the second quarter of 2022, based on an analysis of millions of breached accounts from April to June. 

Meanwhile, Trend Micro Incorporated revealed that two-thirds (67%) of Malaysian organizations think they’ll be successfully attacked in the next 12 months, with 22% claiming this is “very likely” to happen. The report also shows that 87% of companies claimed to have suffered one or more successful cyberattacks in the past 12 months, while 26% had more than seven data breaches of information assets.

This is a worrying trend, as Malaysia does not seem adequately prepared to deal with such attacks. Data breaches can significantly impact individuals, businesses, and the economy.

They can lead to identity theft, financial loss, and damage to reputation. Although the Malaysian government is taking steps to address the issue, more needs to be done to protect the data of Malaysians.