Home Civil Society Voices Investigate data leaks, strengthen Personal Data Protection Act

Investigate data leaks, strengthen Personal Data Protection Act

Follow us on our Malay and English WhatsApp, Telegram, Instagram, Tiktok and Youtube channels.

We, the undersigned civil society groups and concerned individuals, are alarmed by reports of 28 January 2018 of data leaks involving 220,000 registered organ donors.

Media reports say the data leak also included MyKad numbers, home addresses and telephone numbers of donors/pledgers and their next of kin.

In September 2017, an online forum lowyat.net reported the data leak involving 46.2m Malaysian mobile users – their personal details, MyKad numbers, addresses and mobile phone numbers. This massive data leak was said to have taken place from 2014 to 2016.

The leaks of such scale raise substantial concerns as to the extent of procedural flaws or security breaches in the system of data protection within government agencies and public sector corporations.

These breaches of security open wide the door for identity thefts and provide criminals with an ideal database to social-engineer the perfect phishing attack against individuals whose intimate personal data have been exposed. These data leaks will have a far-reaching impact on members of the public and the integrity of personal data held by government agencies and the private sector.

Despite the gravity of the situation, the Personal Data Protection Commission, the Malaysian Communications and Multimedia Commission and the police have failed to offer any substantial remedy or action plan to address the leaks.

In both the cases set out earlier, we regret to note that organisations such as lowyat.net or members of the public who exposed the issue have been censured, reprimanded and investigated. Concerned individuals who have been vigilant and had the courage to expose such security breaches should be applauded and not reprimanded.

The extent of the data leaks are clear indications of the urgency to enforce and if necessary reform the Personal Data Protection Act (PDPA) 2010 to safeguard personal data in the digital realm. The relevant code of practice must be put in place immediately to strengthen protections and to prevent or mitigate future breaches. Punitive action needs to be taken against government agencies, corporations, organisations or individuals who fail to secure users’ private information in their possession.

Given the latest incident, it is high time that the act is reviewed to cover federal and state governments and their agencies which collect, store and process users’ personal data.

It is no longer acceptable that the government and its agents are allowed to ignore the importance of data protection standards as they are also vulnerable to the threats of data breaches.

To this end, we, the undersigned civil society and concerned individuals call for:

  • a transparent investigation into the data leak
  • all digital transactions to have necessary and adequate security measures in place
  • a policy and standard to be introduced to all government agencies that handle personal data to ensure that the personal data processed are secure, safe and not open to abuse
  • relevant government agencies to be made accountable for data leaks in their departments or through their agents
  • all harassment and investigation of journalists and individuals exposing the data leaks to cease;
  • avenues (such as websites) to be introduced or allowed for individuals to check if their personal data had been compromised; and
  • reform of the Personal Data Protection Act 2010 to include the federal and state governments

Endorsed by:

Amnesty International Malaysia
Centre for Independent Journalism
Civil Rights Committee of KL and Selangor Chinese Assembly Hall
Friends of Kota Damansara
Lawyers for Liberty
North South Initiative
Pusat Komas
Saya Anak Bangsa Malaysia
Sinar Project
Suara Rakyat Malaysia (Suaram)
Teoh Beng Hock – Trust for Democracy

Concerned citizens:

Colin Charles
Gayathry Venkiteswaran
Keith Rozario
Lau Yi Leong

The views expressed in Aliran's media statements and the NGO statements we have endorsed reflect Aliran's official stand. Views and opinions expressed in other pieces published here do not necessarily reflect Aliran's official position.

AGENDA RAKYAT - Lima perkara utama
  1. Tegakkan maruah serta kualiti kehidupan rakyat
  2. Galakkan pembangunan saksama, lestari serta tangani krisis alam sekitar
  3. Raikan kerencaman dan keterangkuman
  4. Selamatkan demokrasi dan angkatkan keluhuran undang-undang
  5. Lawan rasuah dan kronisme
Support our work by making a donation. Tap to download the QR code below and scan this QR code from Gallery by using TnG e-wallet or most banking apps:
Notify of
Oldest Most Voted
Inline Feedbacks
View all comments
17 Feb 2018 1.59am

The Internet, is a Wild West, where the one who is faster at the draw of their gun wins the duel. It is a domain where concepts of justice, fairness, morality, rights to enjoy the fruits of one’s creativity and labour mean nothing, but where the one who can beat the system without being detected wins, fair or foul.

Keep most of our key personal data off the Internet as much as possible. It is a cesspit, with a pariah culture and den of thieves. Keep your personal data away from the Internet.


17 Feb 2018 1.42am

As for my neighbour who was fooled into parting with her money by the caller pretending to be from the police and supposedly had tapped into the telephone line of a main police station in Kedah (or had manipulated digital core telecommunications system to appear to be from that police station).

Anyway, after her transfer of her third tranch of funds, it dawned on her that this was a scam and she lodged a police report, than went to the bank which froze these accounts pending court ruling of release of funds back to her.

It’s said that the scammers gave money to poor people and asked them to open bank accounts in their name and then give the ATM card and PIN number to the crooks to withdraw money up to the daily limit.

17 Feb 2018 1.28am

The Malaysiakini special report on this breach is dated 27 November 2017, about three and a half months ago and still not able to identify the culprits who leaked the key subscriber data, which besides each phone’s IMEI (International Mobile Equipment Identity) number – i.e. its unique “electronic serial number” used by the Public Cellular Blocking Service to block stolen phones from working, also included were each subscriber’s MyKAD or passport number, full name as in MyKAD or passport and so forth.

In 2014, I had four postpaid cellular accounts in my name and all the details of these showed up when I checked on the now inaccessible sayakenahack.com website.

More the sophisticated a system, the bigger the damage by crooks.

17 Feb 2018 1.09am

In addition, the leakage of key details of the 43.2 million cellular subscribers in Malaysia in mid-2014 comprised subscriber data submitted by the various cellular operators to be included in the Malaysian Central Equipment Identity Register (MCEIR), the MCMC’s centralised database, a part of its Public Cellular Blocking Service (PCBS) used to render mobile phones reported stolen through the website blockmyphone.my, from being use even with a different SIM card. The MCMC had outsourced operation of this service to a private company Nuemera Sdn Bhd and it is suspected that some of its employees had leaked the data.

Malaysiakini has a pretty comprehensive report on this breach.

17 Feb 2018 12.34am

I have received calls purportedly from TM Unifi, credit card companies and so forth telling me that my Unifi account was being used to run an illegal Internet gambling operation, my non-existent credit card tied to be MyKAD number and full name had several thousands overdue settlement and so forth and for me to reveal certain key codes to resolve the problem or whatever.

I almost fell for this trick the first time but now tell the caller that I’ll go and sort this out with TM, the bank which issues the credit card I don’t actually have, the police where applicable and then I hang up.

My neighbour fell for a scam call accusing her of money laundering and in panic she transferred about RM500K into 3 accounts named by the caller

Would love your thoughts, please comment.x