THE COMMUNICATIONS and Multimedia Ministry (KKMM) will take immediate action regarding the data breach incident that hit online payment gateway provider iPay88, while Bank Negara (BNM) said forensic investigations are ongoing.
KKMM Minister Tan Sri Annuar Musa said the Malaysian Communications and Multimedia Commission (MCMC), the Personal Data Protection Department (PDPD) and CyberSecurity Malaysia (CSM) were looking into the matter.
“The case is being investigated further by iPay88’s vendor from Singapore, SISA, who identified the Cobalt Strike threat being used, while the affected server has been taken offline for further investigation,” Bernama quoted Annuar as saying.
“SISA’s investigation is still ongoing and iPay88 will inform PDPD and CSM of all results”, he said, adding that they met with iPay88 yesterday (Aug 12).
On Thursday (Aug 11), iPay88, a payment company that offers e-commerce, retail, online banking and e-wallets solutions, acknowledged that a recent cybersecurity breach may have compromised the card data of its users.
The company said that it had initiated a probe on May 31, engaging experts to mitigate the matter, but did not specify when the security breach had happened.
iPay88 has since courted intense criticism for only making a public statement now and for not explaining when the security breach was detected and who was affected.
iPay88 has also been told to provide financial compensation to affected customers, while the Government has been urged to amend the Personal Data Protection Act 2010 (PDPA) to compel companies to notify the authorities immediately in the event of a data breach.
“iPay88 not supervised by BNM”
Meanwhile, BNM governor Tan Sri Nor Shamsiah Mohd Yunus said the central bank was only made aware of the breach in late July, adding that iPay88 is not technically supervised by BNM.
In a statement, BNM said the breach originated from and is confined to iPay88’s payment card systems and does not involve vulnerabilities in the banks’ systems.
“Financial institutions in Malaysia also observe strong authentication methods for online card transactions, including prompting cardholders for additional confirmation of certain transactions considered to be riskier.
“This reduces the risk of fraudulent transactions occurring.”
BNM added: “For non-authenticated transactions, particularly purchases from overseas merchants, customers will not be liable for any fraudulent or unauthorised transactions that may arise from this incident.”
Deputy BNM governor Jessica Chew, on the other hand, said banks have been told to enhance protective measures to protect credit card holders and to inform customers of these steps.
Local banks have since heightened their fraud risk management and monitoring of suspicious or fraudulent activities for affected cards.
BNM added that it takes a serious view of any incident that can affect confidence in the payment system, and will not hesitate to take necessary supervisory or enforcement actions to ensure strong security controls are in place and maintained by financial institutions.
It advised customers to immediately notify their banks if they observe any irregular or unauthorised transactions on their cards.
For further inquiries or complaints, members of the public can contact BNMTELELINK at 1-300-88-5465 or through https://telelink.bnm.gov.my/
More than 100 million sets of personal data in Malaysia were compromised in the last five years, according to Lembah Pantai MP Fahmi Fadzil. – Aug 13, 2022
