Bar calls for Privacy Act, transparency on report of MySejahtera 'super admin' hack of personal data
KUALA LUMPUR, Feb 27 — The Malaysian Bar has today urged Putrajaya to take urgent action by enacting a Privacy Act to protect the data of Malaysians that would be collected by corporations or the Malaysian or state governments.
The lawyers’ umbrella body also asked that the findings by CyberSecurity Malaysia on potential hacks and illegal downloading of users’ data from the MySejahtera app be made public during the current Parliament sitting.
“Personal data in Malaysia is governed by the Personal Data Protection Act 2010 (PDPA), of which the Malaysian government and state governments are excluded from this Act. This Act is only applicable where personal data is collected in respect of commercial transactions, and is not applicable to personal data collected through the use of the app, as in this context, data is being collected and used for the purpose of public health.
“With that in mind, the Malaysian Bar urges the government to establish and enact a Privacy Act to protect the privacy of data collected by the Malaysian government and or state governments, or any corporation under the aegis of one or the other,” its president Karen Cheah Yee Lynn said in a statement.
Earlier today, Health Deputy Minister Lukanisman Awang Sauni denied allegations there was a data leakage for vaccine recipients registered under Health Ministry’s MySejahtera app.
He told the Parliament that a “super admin” downloaded three million MySejahtera’s vaccine recipients’ data as a preventive measure because there were attempts to hack the government’s health mobile application.
The Bar also lamented the way the company that procured the contract to develop the application Entomo Sdn Bhd, previously known as KPISoft Sdn Bhd, was done through direct negotiation and also had a Singaporean company Entomo Pte Ltd lay claim legally own the software used to develop the app.
“Not only is it of grave concern that the appointment of Entomo Malaysia was not conducted through open tender, no agreement was entered into between the Malaysian government and KPISoft Malaysia, aside from a Non-Disclosure Agreement (NDA).
“The fact that a foreign company is the sole shareholder of Entomo Malaysia and owns the software for the app, is also deeply perturbing. It is also discovered that the Malaysian Government has no apparent control over a licensing deal between Entomo Malaysia and MySejahtera Sdn Bhd, giving the latter a perpetual license to develop and support the app until 2025.
“The Malaysian Bar further notes that the Minister of Communications and Digital, Fahmi Fadzil, has instructed Cyber Security Malaysia to carry out investigations into the audit findings. On this note, we urge the government to release the details of the NDA, the events that led to confusion of ownership, and the true names of all service providers.
“These disclosures should be made in the current Parliament sitting so that all issues can be debated to assure the public that national security and the privacy of app users are protected,” it said.
On February 16, the Auditor-General released the second series of his report for 2021 in which it was revealed that a “super admin” account set up by person or persons unknown was found to have downloaded private information belonging to three million people through the MySJ app two years ago.
The audit report said the account raised red flags as the personal information was downloaded from multiple internet protocol (IP) addresses.
It also highlighted that there had been 1.12 million attacks on the MySJ app from October 27, 2021.
The app was developed initially to register residents in Malaysia for the Covid-19 vaccine in 2021 to curb the coronavirus spread that had battered the country’s healthcare system.