PETALING JAYA: With the recent data breach in the payment gateway iPay88, experts say it’s high time companies invested more to ensure systems are designed with security and privacy mechanisms in place as part of the development process.
The cyber security expert Prof. Dr. Selvakumar Manickam of Universiti Sains Malaysia said companies should also invest in hiring white hats, or ethical hackers, to conduct penetration tests and patch “holes” found before systems are launched.
“Security audits should be conducted from time to time and certified by cybersecurity professionals. Online service providers should not be allowed to operate unless they receive such certification.
“With the changing laws and regulations relating to cyberspace, online service providers must be held accountable if such a data breach or leak occurs.
“Currently, most security measures are reactive, meaning remedial action is only taken after the breach has happened. Cybersecurity has always been an afterthought,” he told The Star.
The Personal Data Protection Act 2010 (PDPA) is set to be amended, with key points being game changers in the implementation and enforcement of the Act.
Prof. Selvakumar said it is almost impossible for any online service provider to guarantee that its services are 100% secure and unhackable.
This is due to errors and weaknesses in the system that have yet to be discovered by hackers.
“Most online services are ‘ticking time bombs’ waiting for a criminal to find their weaknesses and eventually exploit them, but without such services it would be extremely difficult for people to conduct online activities and transactions.
“Just as driving a car involves the risk of an accident, online services have their risks. We as users can only trust the service providers and hope that they have done their due diligence to ensure the security of their services,” he added.
Prof. Selvakumar emphasized the importance of ensuring two-factor authentication with the user’s mobile device.
“Whenever possible, use virtual accounts as this allows for better traceability and hides actual credit card information. It’s also important to review and monitor credit card activity,” he said.
He added that data breaches are not unique to Malaysia as cyber threats and hacking attempts are rampant around the world.
“The responsibility lies with the system designers, Malaysian or not. As mentioned, incidents like this will keep happening until companies invest and make real efforts to ensure the security of their systems,” he said.
Prof Selvakumar also said that criminals find it easier to “hack” the user, meaning users can be tricked into revealing personal information or clicking on links leading to malicious websites.
“It’s called social engineering, a field that combines technology, psychology, sociology and other fields. Education and awareness programs can prevent users from becoming victims of fraud,” he said.
Communications and Multimedia Minister Tan Sri Annuar Musa said immediate action had been taken against the iPay88 cybersecurity incident that occurred in May.
The matter was handled by the Department of Personal Data Protection and Cyber Security Malaysia, which held a meeting with iPay88. In light of the matter, Bank Negara Malaysia also directed banks to immediately notify cardholders of additional safeguards being put in place to further protect them from the risk of fraud or unauthorized transactions.
The central bank said forensic investigations into iPay88 are still ongoing.
Malaysia has been subject to several data leaks in recent years, with a recent case related to the International Department of Trade and Industry’s public-private Covid-19 Industrial Immunization Program (Pikas).
In mid-May, a data leak was reported by local technology portal Amanz that a 160GB database of personal information belonging to 22 million Malaysians, owned by the National Registration Authority, was sold on the dark web for US$10,000 (RM43,950).
Deepak Pillai, a technology, multimedia, telecom and privacy partner of Christopher and Lee Ong, attributed the country’s continuous data leaks to a lack of seriousness on the part of some companies in managing their cybersecurity.
This, he said, along with a lack of reported enforcement actions and the relatively light penalties under the PDPA, have contributed to an environment where data breaches are becoming more prevalent.
“As the government says it is in the middle of drafting a cybersecurity law to be presented next year, I hope all parties will focus more on cybersecurity.
“That, coupled with the concept of ‘privacy by design’, which requires companies to address privacy issues at the design stage of a project rather than as an afterthought, will address many of the current issues being faced.
“E-commerce will continue anyway. I think people will take note of the violations and the actions that need to be taken.
“At the end of the day, the reputation of an e-business or e-service makes or breaks it,” he added.