LETTER | We, the undersigned civil society groups and concerned individuals are alarmed by reports of a data leak involving 220,000 registered organ donors.
Media reports said the leak also included MyKad numbers, home addresses and telephone numbers of donors/pledgers and their next of kin.
In September 2017, online forum Lowyat.net reported on a data leak involving 46.2 million Malaysian mobile users - their personal details, MyKad numbers, addresses and mobile phone numbers. This massive data leak was said to have taken place over 2014 to 2016.
Leaks of such scale raise substantial concerns as to the extent of procedural flaws or security breaches in the system of data protection within government agencies and public sector corporations.
These breaches of security open wide the door for identity theft, and provide criminals with an ideal database to social engineer phishing attacks against individuals whose intimate personal data have been exposed.
These data leaks will have a far-reaching impact on members of the public and the integrity of personal data held by government agencies and the private sector.
Despite the gravity of the situation, the Personal Data Protection Commission, the Malaysian Communications and Multimedia Commission, and the police have failed to offer any substantial remedy or action plan to address the leaks.
In both the cases set out earlier, we regret to note that entities like Lowyat.net or members of the public who exposed the issue have been censured, reprimanded and investigated.
Concerned persons who have been vigilant and had the courage to expose such security breaches should be applauded, not reprimanded.
The extent of the data leaks are clear indications of the urgency to enforce and if necessary reform the Personal Data Protection Act 2010 to safeguard personal data in the digital realm.
The relevant code of practice must be put in place immediately to strengthen protections and to prevent or mitigate future breaches. Punitive action needs to be taken against government agencies, corporations, organisations or individuals who fail to secure users’ private information in their possession.
Given the latest incident, it is high time that the PDPA is reviewed to cover federal and state governments and their agencies which collect, store and process user personal data.
It is no longer acceptable that the government and its agents are allowed to ignore the importance of data protection standards as they are also vulnerable to the threats of data breaches.
To this end, we, the undersigned civil society and concerned individuals call for:
The views expressed here are those of the author/contributor and do not necessarily represent the views of Malaysiakini.