LETTER | Malaysia Airlines has reported that there has been a data breach of its Enrich frequent flyer programme by one of its third-party service providers. It further claimed that there is no evidence that the data was being misused.
In this current time, when consumers' personal data are frequently being collected over many platforms for many purposes, how secure and private is our data?
For example, during the current Covid-19 pandemic, consumers are extensively using the MySejathera and Selangkah apps for the purpose of contact tracing that requires them to "check-in" whenever they enter a public or private enterprise.
The issue is how secure is their personal data?
The main concern for consumers is whether their personal information will fall into the wrong hands either for commercial or criminal purposes. Many of us have received calls by commercial organisations to market their products or even by scammers threatening us about some "crime" we are supposed to have committed and how they can resolve the issue with some payment.
Whether for the marketing of products or services or contacting us with criminal intent, the first question that comes into mind is how did they get our phone number or sometimes they even know some personal details that we are extremely certain we never gave them.
Somehow, the data we gave to some official party such as government institutions or private institutions such as banks or airlines were leaked or sold to them.
It seems our data is not very secure.
Despite MAS assurance that there is no evidence that the data was being misused, how certain can consumers trust that message? Further, what is the consequence of this lackadaisical attitude towards protecting our data where some third party was able to attain it?
In 2018, British Airways had a data breach that exposed the financial and personal details of more than 420,000 consumers. The data regulator of the United Kingdom, the Information Commissioner Office, fined British Airways £20 million (RM110 million). Additionally, 16,000 customers joined a class-action suit against the airline.
According to the legal company representing the consumers', each consumer whose personal details – names, billing addresses and email addresses and card payment details – were leaked would be entitled to £2,000 (RM 11,000) as compensation.
In this, not only would justice be served to the affected consumers, but the decision would send a strong message to other big companies collecting personal data that they must take data protection seriously or face financial and reputational consequences.
Scams have indeed increased substantially, especially during this covid pandemic. Increasing data breaches may be one of the causes, as more data is being collected, and this data is leaked or sold to irresponsible parties.
Companies collecting data must know that there are serious consequences if they are lax with the privacy and security of the consumer's data.
In the MAS issue and in other incidents of data breaches, the silence of the agency tasked to implement the Personal Data Protection Act 2010 is deafening.
Are these companies where there is a data breach being held responsible or are they allowed to go free without consequences?
If companies breaching data security are allowed to escape any consequences of their lax data security, it would only signal to other companies that there are no consequences to lax data security and thus, there will be no effort to strengthen data privacy and security measures. Consumers will continue to suffer.
Finally, as the Personal Data Protection Act 2010 only protects against the inappropriate use of personal data for commercial purposes, the Federation of Malaysian Consumers Associations (Fomca) calls on the reformation of the act to include breaches involving the online community.
PAUL SELVA RAJ is the chief executive officer of the Federation of Malaysian Consumers Associations (Fomca).
The views expressed here are those of the author/contributor and do not necessarily represent the views of Malaysiakini.
