data privacy Malaysia

(Source – Shutterstock)

Is data privacy just a pipedream in Malaysia?

When it comes to data privacy laws in Malaysia, one of the biggest problems is implementation. Over the years, the government has announced allocations to improve the cybersecurity and data of Malaysians. Yet, the country continues to experience some of the worst data breaches in the region.

In 2022 alone, there were several major data breaches involving high-profile companies and government agencies. One of the biggest data breaches in Malaysia last year was when the personal details of 22 million Malaysians, allegedly from the National Registration Department, were leaked and sold online.

The government has since launched an investigation into the matter and the minister in charge of the government agency at the time stated that the breach was not a big issue.

Another data breach involved online payment provider iPay88. Upon investigation, the company stated that the data breach only affected card data from online transactions. It also said that the data breach was the result of a sophisticated intrusion by an unidentified party. Bank Negara Malaysia, the central bank of Malaysia released a statement stating that iPay88 had taken the necessary containment and rectification measures to address gaps that were identified following the completion of an independent forensic investigation.

No fines were issued to either iPay88 or the National Registration Department. When the government changed late last year, the new minister for overseeing such incidents has been actively keeping tabs on how companies manage their data and uphold the privacy of Malaysians.

When there was a report of a website that had listed personal data of 3.5 million Astro subscribers, 1.8 million Maybank accounts and 7.2 million users compiled by the Election Commission, Fahmi Fadzil, the Minister of Communications and Multimedia of Malaysia requested the Personal Data Protection Department and CyberSecurity Malaysia to investigate the allegations.

While investigations get underway, there is still the issue of jurisdiction. Hence, some alleged data breaches, especially those involving government agencies, would be left to the National Cyber Security Agency. Currently, organizations that fail to comply with how they manage the personal data of Malaysian can be fined not more than RM300,000 or two years’ jail or both, if found guilty.

Since taking over the ministry, Fadzil has also stated that data breaches in Malaysia need to be taken more seriously. In an interview with MalaysiaKini, the minister said Malaysia needs to get the infrastructure and data security right if the country wants to bring in more investments and usher in what he describes as the golden digital decade for the country.

Again, while this may sound promising, the country has to ensure that the implementation of the rules is followed as well. Businesses and government agencies that do not take personal data seriously should be held accountable. It’s been a long time since any company was fined for a data breach in the nation.

Scammers have been making millions from Malaysians by impersonating to be officers from government bodies and in most cases already have sufficient data to target their victims. (Source – Shutterstock)

Weak data privacy implementation in Malaysia a delight for scammers.

One of the most common examples of how data can be easily leaked in Malaysia is through scam calls. Scammers have been making millions from Malaysians by impersonating officers from government bodies, and in most cases already have sufficient data to target their victims. The source of that data is itself leaked from organizations or agencies.

A report by NordVPN showed that about 50,000 Malaysians had their online identities stolen and sold on bot markets for RM27 (US$6 approximately) on average. In fact, according to the Royal Malaysian Police, in 2020 there were 20,701 scam cases reported with losses amounting to RM560.8 million. The figures for 2021 and 2022 are expected to be even higher.

During a recent visit to Singapore, the minister also stated that both countries would be enhancing their corporation in cybersecurity. This includes the exchange of information and analyses, experiences and guidance that can be used to monitor and reduce cybersecurity incidents.

“For me, this is the next move in the relations in the ASEAN region, but specifically between Malaysia and Singapore it is hopeful it will start this year and will be held every year,” Fadzil said after signing a Memorandum of Understanding (MoU) in the field of personal data protection, cybersecurity and digital economy.

“This is because as we see now threat actors who almost every week strive to hack the database but the issue is that we have not identified them, where they are…this is among those that we will enhance following the cooperation between both countries,” he added.

For now, cybercriminals will most likely continue to target Malaysian businesses knowing that they are capable of getting the data they want. And unless Malaysian organizations and government agencies look for stronger ways to secure and protect their data, they will continue to remain easy targets for cybercriminals.

At the end of the day, the country can have a dozen MoUs on cybersecurity and data management, but if the implementation and accountability remain weak, data privacy will remain a pipedream for Malaysia.