iPay88 data breach: PDPA must be amended, victims compensated, says MP

LEMBAH Pantai MP Fahmi Fadzil has called for Putrajaya to amend the Personal Data Protection Act 2010 (PDPA) to compel companies to notify the authorities immediately in the event of a data breach. 

This is following news yesterday (Aug 11) that online payment gateway provider iPay88 had acknowledged that a cybersecurity breach may have compromised the card data of its users. 

The company said that it had initiated a probe on May 31, engaging experts to mitigate the matter, but did not specify when the security breach had happened. 

In his criticism of iPay88, Fahmi said the company only made a public statement on the matter yesterday – about three months after the incident. 

“[iPay88’s explanation] is most unsatisfactory. The company must explain when the security breach was detected, why it did not announce this earlier, and why it did not inform those who were affected by the breach,” the PKR information chief said. 

“iPay88 must understand that without the personal data of their customers their business model would not have succeeded. Therefore, if iPay88 is serious and sincere they should provide financial compensation to those affected.” 

According to Fahmi, this incident underscores the urgent need for the PDPA to be amended to compel companies to immediately notify the authorities and those affected when there is a data breach. 

Meanwhile, Fahmi also called out the Association of Banks in Malaysia (ABM) and the Association of Islamic Banking and Financial Institutions Malaysia (AIBIM) for not proactively dealing with security breaches involving customer data in financial institutions. 

“Yesterday, in response to the iPay88 data breach incident, ABM and AIBIM released a joint statement reaffirming that banks take the data security of their cardholders seriously but their statement is akin to melepaskan batuk di tangga (doing things half-heartedly),” he remarked. 

“ABM, AIBIM, regulators such as Bank Negara Malaysia (BNM) and other commercial financial institutions must be more proactive in helping victims of a personal data breach especially when such incidents come as a result of security flaws in any part of the financial ecosystem, as in the case of iPay88.” 

With that, Fahmi urged the Government to establish a royal commission of inquiry (RCI) to investigate all cases involving personal data breaches in the last five years and to identify the comprehensive measures to strengthen the country’s cybersecurity. 

“Including the iPay88 incident, more than 100 million personal data were compromised in the last five years, and as this is also a matter of national security, we need the RCI to solve the problem and dispense justice to the victims,” he said. – Aug 12, 2022 

Subscribe and get top news delivered to your Inbox everyday for FREE