KUALA LUMPUR, Sept 21 — Malaysia has recorded its highest number of data breach cases this year, with an all-time high of 15 reported cases a week involving mainly ransomware attacks.
The situation has sparked concern over related cybercrimes and phone scams, which have led to millions of ringgit in losses annually.
The New Straits Times (NST) reported today that the Personal Data Protection Department (PDPD) had received reports of 130 cases up to June this year, revealing a four-fold increase when only 30 such cases were recorded for the entire 2022.
PDPD director-general Mohd Nazri Kama said that the pattern had been steadily increasing since 2016.
He said based on the latest figure of 15 cases a week, at least five involved personal data breaches.
Mohd Nazri added that the rising number of cases could be attributed to various factors, with ransomware emerging as the main form of cyberattacks.
In ransomware cases, criminals would use a person’s data and threaten to expose or sell it unless they are paid.
Mohd Nazri said contributing factors included the use of old, unpatched security that was vulnerable to exploitation.
He also stressed that human factors played a key role, such as the accidental disclosure of sensitive information, weak passwords, phishing attacks, insider misuse and physical theft on data-carrying devices.
“Some Malaysians are generous with their data. They would simply give their data to anyone.
“A simple example is when they go to a supermarket and people (marketers) ask for their identification card for membership registration or simple gifts and benefits.
“Shoppers would give it without thinking about how these organisations would handle their data,” he was quoted as saying in the English national daily
Personal data refers to data that can be used to identify an individual, such as Mykad and banking details, while non-personal data does not possess the ability to disclose a person’s identity. Such data can be used in a variety of ways.
Companies which buy them can use them to tailor their offerings to the consumer in question and personalise products to better appeal to that consumer.
However, a more vicious use by criminals using personal data gleaned are used to scam their intended victims in a convincing manner.
Mohd Nazri said PDPD faced a huge challenge in identifying the origin of data breaches.
“For example, criminals would erase the data from the server they hacked into, ending the trail which would have led back to them,” he told NST.
On companies using such data, Mohd Nazri said from 2016 to this year, only 15 of those had been compounded, and five others were fined for such offences.
He explained that the small number of prosecutions was due to technical difficulties in gathering evidence for such cases.
Mohd Nazri advised consumers to reduce the risk of having their data abused or stolen by only releasing their data to companies with the PDPD registration certificate.
He said the certification was issued to companies which comply with the Personal Data Protection Act 2010 (PDPA), which seeks to protect users’ personal data relating to commercial transactions.
Recently, the federal police’s Commercial Crime Investigation Department (CCID) revealed that cybercrime cases nearly doubled from 10,753 in 2018 to 19,175 last year.
In June, Communications and Digital Minister Fahmi Fadzil said the Personal Data Protection Act (PDPA) 2010 needs to be amended to prevent personal data from being stolen and used in fraud.
He expected the amendments to the Act would be carried out as early as December or latest by March next year.
This follows Prime Minister Datuk Seri Anwar Ibrahim’s announcement on the same week that the Bill would be expedited to ensure all legal aspects relating to cyber security are covered.