MALAYSIA has recorded an average of 15 data breach cases per week this year with the Personal Data Protection Department (PDPD) receiving 130 incidents as of June, the majority of which were ransomware attacks, according to a report.
It was a fourfold increase from the previous year, when only 30 such incidents were recorded for the entire year, and it has sparked concerns about linked cybercrime and phone scams, which cost millions of ringgits each year.
“The pattern had been steadily increasing since 2016 and there were at least five cases each week involving personal data breaches,” PDPD director-general Professor Dr Mohd Nazri Kama was reported as saying by NST Focus today (Sept 21).
Personal data is a collection of data that may be used to identify an individual, such as Mykad and banking information, but non-personal data cannot reveal a person’s identity.
“The rising number of cases could be attributed to various factors, with ransomware emerging as the prevailing form of cyberattacks.
“In such cases, criminals would take a person’s data and threaten to expose or sell them unless they are paid.”
While Mohd Nazri did not go into details on how such data breaches may occur or who was usually to blame, he did say that contributing factors included the usage of outdated, unpatched security that was prone to exploitation.
Human factors were also to blame, such as accidental disclosure of sensitive information, weak passwords, phishing attacks, insider misuse and physical theft on data-carrying devices.
“Some Malaysians are generous with their data as they would simply give their data to anyone.
“A simple example is when they go to a supermarket and people (marketers) ask for their identification card for membership registration or simple gifts and benefits.
“Shoppers would give it without thinking about how these organisations would handle their data,” he said.
Companies who purchase them can use them to personalise their services to the consumer in question and personalise items to appeal to that consumer more effectively.
A more nefarious approach would see thieves exploiting personal data acquired – such as how much money is in one’s account as well as family details – to convincingly scam their victim.
According to Mohd Nazri, determining the origins of such data breaches was a tremendous challenge for the department.
“For example, criminals would erase the data from the server they hacked into, thus ending the trail which would have led back to them.
“From 2016 to this year, only 15 of those companies using such data had been compounded, and five others were fined for such offences.
“The small number of prosecutions was due to technical difficulties in gathering evidence for such cases.
“The only way consumers could reduce the risk of having their data abused or stolen was by only releasing their data to companies with the PDPD registration certificate.
“The certification was issued to companies which comply with the Personal Data Protection Act 2010 (PDPA), which seeks to protect users’ personal data relating to commercial transactions,” he remarked.
Communications and Digital Minister Fahmi Fadzil indicated in January that the PDPA would be revised to increase fines or penalties and to include mandatory data breach notification by data users and data processors in the act. – Sept 21, 2023
Main pic credit: Cyral.com
