Will regulators take action on Malaysian university for admitting data leak?

Data leaks are becoming increasingly common in organizations today. But apart from enterprises, education institutes are also targeted by cybercriminals or could end up making mistakes when handling data.

Such is the case of Malaysia’s Universiti Teknologi Mara (UiTM). The Malaysian university recently had the personal information of some 12,000 university applicants exposed on an unsecured link. The information, which included identity card numbers, sparked even more concerns about data and private security after the university just announced an apology for the mistake it made in handling the data and deactivated the link.

For now, no further action was taken by the university towards how the leak could have occurred. No further action has also been taken by regulatory authorities towards the university, despite the data of 12,000 applicants being exposed. While Malaysian Communications and Digital Minister Fahmi Fadzil did announce that the investigation on the data leak was ongoing, the Personal Data Protection Department had also directed UiTM to file a notice of the leak and to provide further information about the incident.

Despite this, many feel that the investigations will not bring much change. In the past, companies that have faced data leaks and breaches in Malaysia were not subjected to severe fines and penalties. The reason for this is a lack of accountability and also rules that require organizations to report data leaks or data breaches in the country. Apart from the Personal Data Protection Act, organizations in Malaysia often do not face any legal actions from leaked data, unless they are being sued.

Going back to the education sector, this is not the first time UiTM has experienced a data breach. In 2019, there were reports that the personal data of more than a million UiTM had been leaked online. The university stated it would conduct investigations but it seems that they have still yet to fix the issue, given the latest data leak.

In fact, Palo Alto Networks’ Ransomware report highlighted that the education sector in Malaysia is the most targeted by ransomware groups, making this case even more alarming and revealing the industry’s weakness in handling sensitive data.

This incident serves as a reminder of how easily personal information can be exposed. While there haven’t been any reports of significant damage, businesses handling sensitive data must be accountable for implementing effective measures to safeguard the personal data of their users.

Commenting on this incident, Palo Alto Networks ASEAN Systems Engineering Head, Malaysia / Cortex, David Rajoo, urged, “Organisations like the education sector, must develop an effective security strategy to uphold the integrity of their data whether it is at rest, in use, or in motion. This includes upgrading cybersecurity defenses consistently to keep up with the evolving threats, stay ahead of the attack curve and minimize the possibilities of data breaches.”

Furthermore, 80% of security alerts come from users repeating the same mistakes according to another report by Palo Alto Networks. To prevent recurring data breaches in Malaysia, Rajoo suggested organizations put in place security measures starting from the first line of defense, giving necessary education and training to their employees. Some recommendations include:

• Digital training: Data security is a broad issue that is covered in digital training, including password management, secure file sharing, and safe browsing practices. This can involve instruction on how to generate secure passwords, refrain from using the same password for many accounts, transfer files and documents securely, and browse the internet safely and steer clear of harmful websites.
• Phishing link training: Phishing link training involves educating employees on how to recognize and avoid phishing attacks. This may involve mock phishing assaults that assess staff members’ capacity to recognize and report dubious emails or links.
• Ongoing cyber security awareness initiatives: As the threat landscape is continuously shifting and new threats are consistently appearing, it is essential to be informed about the most recent risks. A cybersecurity program is a useful tool for keeping this awareness up. As part of compliance efforts, it ensures the organization is aware of recent risks and vulnerabilities and provides best practices for data protection.

“In light of this, it is always important to strengthen our cyber security posture in general. This can be achieved by hiring dedicated cybersecurity personnel, implementing comprehensive security systems and regularly conducting security assessments to identify vulnerabilities and areas for improvement,” commented Rajoo.

Rajoo added that Malaysian individuals and organizations need to be more vigilant in protecting their sensitive data.

“Successful cybersecurity demands collective efforts to ensure data security. The recent breach underscores the need for Malaysia to enhance its cybersecurity posture, whether through individual data hygiene awareness or organization-wide cybersecurity investment.”

---

---

---