SERI: Alleged Malaysian Government Data Breaches Must Be Addressed
By Anisha Nadkarni October 1, 2021
- Emphasis on security by design & privacy by design for public digital services
- Review our data protection laws & update the Personal Data Protection Act
The recent news report of a potential data breach at Malaysia’s National Registration Department (JPN) raises concern regarding the security measures that are in place to protect the rakyat’s data. The report states that a database of four million Malaysian citizens containing data freshly obtained from JPN and hasil.gov.my (Inland Revenue Board) through the MyIdentity API has been put on sale through an online forum.
1. Data security must be of a high standard
The Malaysian government must be held to at least the same standard as private companies, if not higher, when it comes to both data protection and security.
This is especially true for data that is highly personal in nature. JPN, in charge of one of the most important databases of personal data in the country, must be held to the highest of security standards.
For example, regular penetration testing is one of the most basic measures that should be carried out by all government agencies controlling personal data - it should be made clear if this is currently practiced, as the intrusion analyst who first reported these leaks claims that his previous efforts to inform the agencies about these leaks were not taken seriously.
Secondly, the fact that ten different government databases are accessible through a single API [ Assuming it is true, as the seller claimed they obtained the data through the myIDENTITY API] suggests that it may not have been designed with the highest security standards in mind. There should be an emphasis on security by design and privacy by design for public digital services.
2. Transparency is paramount
The fact that myIDENTITY depends on citizens voluntarily updating their personal data makes a potential breach even more consequential for public trust. Trust needs to be earned - people will be less willing to offer their personal data if they cannot be confident in the government’s ability and willingness to protect it.
The most important element in building trust is to be transparent. Estonia, a world leader in e-government, has illustrated this point time and again by being fully transparent about (i) the way they use citizens’ data (use cases) and (ii) data breaches or other shortcomings. If the Malaysian government truly wants to provide better digital public services, it would do well to practice this level of transparency.
3. Invest in cybersecurity, review PDPA
The government’s ‘Cloud First’ strategy and MyDigital policy, which intends to migrate 80% of public data to hybrid cloud systems by the end of 2022, must include serious investment in cybersecurity in the public sector. We must also review our data protection laws and update the Personal Data Protection Act (PDPA) with particular attention to the question of the PDPA’s applicability to federal and state governments. One of the key provisions we need to adopt (made evident by these events) is the requirement to inform data subjects when a breach has occurred.
Whilst it is encouraging to note that the government is keen to create a more digital nation, this can only be done if our digital policies are fit for purpose with sufficient attention paid to data security. We need assurance (including in the law) that our personal data will be properly secured before further data centralisation happens and it is only by building trust would the people embrace the necessary digital disruption.
Anisha Nadkarni is a Research Fellow at Social & Economic Research Initiative (SERI), a non-partisan think-tank dedicated to the promotion of evidence-based policies that address issues of inequality, particularly at the intersection of technology and society.
She works as a Data Analyst in the innovation and digitalisation department of a multinational and is an alumnus of the University of Oxford's Internet Institute (OII), where she earned her Masters degree in Social Science of the Internet.