LETTER | We, the undersigned civil society groups and concerned individuals are alarmed by reports of a data leak involving 220,000 registered organ donors.

Media reports said the leak also included MyKad numbers, home addresses and telephone numbers of donors/pledgers and their next of kin.

In September 2017, online forum Lowyat.net reported on a data leak involving 46.2 million Malaysian mobile users - their personal details, MyKad numbers, addresses and mobile phone numbers. This massive data leak was said to have taken place over 2014 to 2016.

Leaks of such scale raise substantial concerns as to the extent of procedural flaws or security breaches in the system of data protection within government agencies and public sector corporations.

These breaches of security open wide the door for identity theft, and provide criminals with an ideal database to social engineer phishing attacks against individuals whose intimate personal data have been exposed.

These data leaks will have a far-reaching impact on members of the public and the integrity of personal data held by government agencies and the private sector.

Despite the gravity of the situation, the Personal Data Protection Commission, the Malaysian Communications and Multimedia Commission, and the police have failed to offer any substantial remedy or action plan to address the leaks.

In both the cases set out earlier, we regret to note that entities like Lowyat.net or members of the public who exposed the issue have been censured, reprimanded and investigated.

Concerned persons who have been vigilant and had the courage to expose such security breaches should be applauded, not reprimanded.

The extent of the data leaks are clear indications of the urgency to enforce and if necessary reform the Personal Data Protection Act 2010 to safeguard personal data in the digital realm.

The relevant code of practice must be put in place immediately to strengthen protections and to prevent or mitigate future breaches. Punitive action needs to be taken against government agencies, corporations, organisations or individuals who fail to secure users’ private information in their possession.

Given the latest incident, it is high time that the PDPA is reviewed to cover federal and state governments and their agencies which collect, store and process user personal data.

It is no longer acceptable that the government and its agents are allowed to ignore the importance of data protection standards as they are also vulnerable to the threats of data breaches.

To this end, we, the undersigned civil society and concerned individuals call for:

A transparent investigation into the data leak;
All digital transactions to have the necessary and adequate security measures in place;
A policy and standard to be introduced to all government agencies that handle personal data to ensure that the personal data processed are secure, safe and not open to abuse;
Relevant government agencies to be made accountable for data leaks in their departments or through their agents;
All harassment and investigation of journalists and individuals exposing the data leaks to cease;
Avenues (such as websites) to be introduced or allowed for individuals to check if their personal data had been compromised; and
Reform of the Personal Data Protection Act 2010 to include the federal and state governments.

Endorsed by:

Organisations

Amnesty International Malaysia
Centre for Independent Journalism
Civil Rights Committee of KL & Selangor Chinese Assembly Hall
Empower
Friends of Kota Damansara
Hakam
Lawyers for Liberty
North South Initiative
Pusat Komas
Saya Anak Bangsa Malaysia
Sinar Project
Suaram
Teoh Beng Hock – Trust for Democracy

Concerned citizens

Colin Charles
Gayathry Venkiteswaran
Keith Rozario
Lau Yi Leong

The views expressed here are those of the author/contributor and do not necessarily represent the views of Malaysiakini.