SOURCE: Data protection dept not doing its job

 

Personal Data Protection Department (PDPD) https://www.pdp.gov.my/jpdpv2/?lang=en

Jabatan Perlindungan Data Peribadi

Data Protection Dept Not Doing Its Job - Portal JPN

 

 Lax enforcement, resistance to change, and an unwillingness to adopt new ideas are the root causes of the continuous data leaks plaguing the country for several years now, says a highly-placed source.

The source told The Star that the Personal Data Protection Department (PDPD), an agency under the Communications and Multimedia Ministry created to uphold data protection, is not living up to its charter because of the above factors.

It has also failed to exercise its powers to curb data leaks “time and time again”.

The source said data leaks do not solely hinge on the provisions of the Personal Data Protection Act 2010 (PDPA), as popularly believed.

“The primary responsibility of this department is to oversee the processing of personal data of individuals involved in commercial transactions by data users (to ensure) that it is not misused by the parties concerned.

“A data user is like a telco with which we register. It might appoint a data processor, a third party, which is presently not covered by the Act.

“However, with the new amendment soon, this third party will be covered.

“When there is a data leak, everyone immediately points to Cybersecurity Malaysia (CSM), but most don’t realise that they don’t have the legislative authority compared to the PDPD,” the source added.

The department was set up in 2011 immediately after Parliament passed the PDPA 2010 or Act 709.

CSM, which has the infrastructure and technical expertise to handle such matters, has no enforcement powers.

“The director-general of PDPD is also the Commissioner for Personal Data Protection, which based on the law, can delegate power to CSM officers to execute the PDPA on its behalf.

“PDPD also has an adequate budget to appoint experts or officers to enforce the PDPA on a contract basis, but that was also not done.“To top it off, the current enforcement officers inside the department are mostly seconded from the Domestic Trade and Consumer Affairs Ministry, so how do you expect these officers to carry out enforcement when they don’t have the necessary skills set?” the source added.

Compared with Singapore, Malaysia may have passed a data protection act first, but the difference in execution and enforcement has caused the country to lag behind.

The PDPD has also seemingly failed to collect the expected revenue based on audits conducted by the National Audit Department (NAD) in the past few years.

According to the NAD, RM468.88mil could have been collected and channelled to the government’s coffers had enforcement been conducted strictly.

Today, 13 sectors must register as “data users” with the department.

“We are heading towards a digital society, and I foresee more data leaks occurring, but the responsible party has not given its utmost priority to handling these issues.

“Supposedly, these data breaches are under the purview of this department but were handed over to the police due to the lack of expertise by the said department’s officers.

“The police are supposed to be solving crime and they have a lot on their plate right now.

“This department can help the police in an integrated manner, it even has the power to arrest individuals, but no one is doing it,” the source said.

He also said that Malaysia meets all the requirements of a world-class entity but lacks implementation of systems and laws.

He added that this happens when you have “territorial, old-school people who are afraid of change and resist anything good” in the civil service.

“Looking at Singapore, which also has similar laws, we need to ask why we are in this situation,” the source said.

Malaysia has been subjected to several data leaks over the past years, with the most recent one related to the International Trade and Industry Ministry’s Public-Private Covid-19 Industrial Immunisation Programme (Pikas).

In mid-May, a data leak was reported by local tech portal Amanz, where a 160GB-sized database with personal details of 22 million Malaysians belonging to the National Registration Department (NRD) was being sold for US$10,000 (RM43,950) on the dark web.

 Source link

 

Related posts:

 

Act swiftly to prevent data breaches

 

 

Take precautions on public wifi, hackers are watching you, travellers !

 

Be a smart tourist

 

Act swiftly to prevent data breaches

 

The Most EFFECTIVE WAYS to Prevent a Security Data Breach

 

THE allegation that the personal data of 22.5 million Malaysians born between 1940 and 2004, purportedly from the National Registration Department (NRD), have been stolen and sold on the dark web is a serious concern.

According to local tech portal Amanz, the 160GB database containing information such as a person’s name, identity card number, address, date of birth, gender, race, religion, mobile number, and Base54-based photo, is being sold for US$10,000 (about RM43,885) at a well-known database marketplace forum.

In a screenshot shared by the portal, the seller claimed that the database was an expanded repository from the one he sold in September last year.

In the incident last year, the personal data of four million Malaysians were allegedly leaked from the MyIdentity API (application programming interface) and put up for sale at RM35,419.

MyIdentity is a national data-sharing platform that allows government agencies to access individuals’ details from a centralised repository.

This is not the only government database that has been put on sale this year. Apparently, a couple of weeks earlier, the same seller had posted a database allegedly belonging to 802,259 Malaysian voters, obtained from the Election Commission’s website, on the black market.

And sadly, these are not the only incidences of government database breaches.

While the Home Affairs Ministry has denied that the latest database leak was from NRD, the police, on the other hand, have already started their investigation into the breach.

But whatever the outcome is, with the rising number of cases involving government personal data leaks, the authorities must be held accountable for such breaches.

Heads, especially those given the task of ensuring the safety and security of these public data, must roll.

They must be held accountable for their failure in protecting the people’s interests and in ensuring the safety and security of their private details, which could easily be abused.

The government must also act swiftly to address the weaknesses in their system and reassure Malaysians of a better solution to safeguard data stored by government departments and agencies.

It is a question of public safety.

Scammers could use the stolen data to cheat people of their money, while telemarketers would have a field day making unsolicited calls from the leaked telephone numbers of Malaysians.

To prevent leaked data from being misused, the government, including the police, must work harder to go after scammers, who could use such information to trick victims, especially via the Macau scam.Last year, 1,585 Macau scam cases were reported nationwide, resulting in RM560.8mil in losses. This year, the number has already reached 1,258 cases as at April 19, involving RM65.4mil in losses.

As for telemarketing, the Malaysian Communications and Multimedia Commission (MCMC) must be more vigilant and introduce sterner measures to prevent unsolicited calls.

Actions to stop the scammers and unsolicited calls would restore people’s confidence in government agencies despite the data breach.

Lastly, as the custodian of all Malaysians’ data, the government must also be held accountable for any breach.

Currently, the Personal Data Protection Act 2010 (PDPA) does not apply to the federal and state governments. Instead, it only covers commercial entities.

While proposals to amend the PDPA, including making the government accountable, have been made, the amendments have yet to be tabled in Parliament.

Therefore, lawmakers should seriously consider the urgency of the amendments to make Malaysians’ personal data safer in the public domain, preventing them from falling into the wrong hands for illegal use.

This has to be done quickly to prevent more of such data breaches before it is too late and puts national security at risk. 

Source link.  

 Related:

Hisham: Data leak won't affect national security

'Govt must also be held accountable' | The Star

Public fuming over another likely data leak

CLICK TO ENLARGE

PETALING JAYA: The public are outraged over another alleged data leak containing the information of 22.5 million Malaysians born between 1940 and 2004, stolen from the National Registration Department (NRD).

Many are anticipating more scam calls and SMSes as well as fraudulent online transactions to occur over the breach.

Businessman Amirul Asraf, 31, from Wangsa Melawati, said such incidents were the root cause for many the scam calls people are receiving on a daily basis.

“With these data, scammers can convince people that they are calling from the banks, courts, police and authorities. This will make people’s lives harder.

“I read a case where a poor man who obtained assistance from his local assemblyman was cheated after a scammer emptied him out. The assemblyman had to help the victim again as a result.

ALSO READ: ‘Govt must also be held accountable’

“These scammers are heartless. They don’t care if they take a lot or a little or whom they trick, as long as they get the money,” he said.

Software engineer Ahmad Ridzwan, 30, from Bukit Jalil, could only say “Malaysia Boleh” in relation to the leak taking place.

“Not sure what else to comment. This is the worst possible leak because our identifiable data is out in the open and the identity card is the most important one of all,” he said.

Sales executive Shivaendra Gunasegaram, 30, from Petaling Jaya, said smartphones and social media companies already had all data pertaining to the individuals.

As such, all personal information was accessible to many people, he said.

“As long as there are no unauthorised transactions from our bank accounts, I feel that there’s nothing to worry about.

“The advantage of being poor is that they probably won’t target my account because there’s not much in it,” he said jokingly.

Meanwhile, the data leak report continued to create a buzz in online forums and on social media, with many people expressing their unhappiness over the government’s inability to protect vital information from being leaked repeatedly over the years.On Facebook, user Zaidi Rudy said: “Brace yourselves, scam calls are coming in.”

Dennis Ooi said: “Was SOLD mean somebody have to go jail. Any action taken on those responsible. Or tangkap lepas again.”

Wan Meng Lee questioned: “Why the rakyat confidential information can be sold off is it not kept safely omg.”

Abdul Hamid said: “If they know the data being sold, they definitely know who is the seller.”

In the Lowyat forum, user bananjoe said: “Habis go and overhaul the whole new mykad. This is epic ridiculous. Government IT staff doing what ???”

Sycamore said: ”So absurd. But why am I not surprised? Absurdity is the reality.”

Radiowarrior1337 said: “This needs to kena and people head must roll. Tidak apa attitude and biar la dah hack kan so mari lepak minum teh now to discuss what scenario he obtains the data.”

ONGOING CYBER THREATS

 

 

 

After years of data breaches exposing individuals’ personal information, cyberthieves will increasingly use that information to attack businesses in 2022, according to the Identity theft resource Centre’s predictions for the coming year.

` “We also tracked a record number of data breaches and a steady flow of new victims of unemployment benefits identity fraud long after the enhanced benefits ended,” said eva Velasquez, president and CEO of Identity theft resource Centre.

` Velasquez anticipates an increase this year in the number of people who have been victims of identity theft multiple times. And she warned of particular risk ahead as people change how they pay for things.

` “Look for cybercriminals to take advantage of the shift to alternative digital payment methods, such as payment apps, digital wallets and peer-to-peer services,” Velasquez said.

` With cryptocurrency becoming increasingly popular, scammers will find new ways to steal from consumers, according to the resource centre, which is a US nonprofit that tracks data compromises and provides free assistance to victims.

` The centre’s predictions for 2022 include:

• ` l An accelerated shift from identity theft to use of already stolen personal information and credentials to commit identity fraud and attack businesses.
  
• ` l Consumers may shift away from some online transactions and email communications due to the increasing problem of phishing, which is when cybercriminals use a fraudulent email or website to masquerade as a legitimate business or person.
• ` l the effects of pandemicrelated fraud will continue into 2024, with some fraud cases taking years to resolve and unemployment compensation fraud efforts likely becoming permanent.
• ` l ransomware, when hackers use malicious software to infect and lock a computer network and demand demand money to restore access, may surpass phishing as the top cause of data breaches.
• ` l Supply chain attacks, which is when malware infects a single organisation that is linked to multiple others, will become more common.
• ` l Single incident attacks will impact greater numbers of individuals, including social media account takeovers that victimise followers and networks.

` “All of these trends point toward increases in identity fraud that will change consumer behaviours, revictimisation rates and pandemicrelated identity crimes for years to come,” Velazquez said.

` “We expect to see these types of cyberattacks and who they target continue to evolve as they did in 2021.”

` The resource centre called for wider consumer education efforts and improved data protection. the number of publicly reported data compromises was already higher last year than in all of 2020. the centre’s third quarter report shows that as of Sept 30, 2021, data compromises rose by nearly 17% over all of 2020. the report found that nearly 281.5 million people were victims last year. there were 1,291 data compromise events in 2021, compared to 1,108 in all of 2020. the record is 1,529 in 2017.

` In November, the resource centre released data showing that 16% of 1,050 US adult consumers surveyed took no action after receiving a data breach notice, according to the survey by the resource centre and Dig.works, a consumer research company.

` Fewer than one-third of survey respondents had frozen their credit at one time for any reason and only 3% did so after receiving a data breach notice, the survey found. 

– Journal-news, Hamilton, Ohio/tribune News Service

 

Crypto cybercrime set to surge in 2022

Cybercrime in 2022 – be aware | The Star

2021 Cyber Threat Report - 2021 Global Threat Report

 

Related posts:

 

Hackers in your heads, Cybercriminals preying on gullible

`

Bitcoins, Cryptocurrencies under fire

  

 

Vital to know your rights when get arrested; comments on social media not be a serious crime