Experts call for tougher law on data breach as Malindo Air becomes latest victim

Currently, any parties suffered a data leak in Malaysia are not obliged to notify the authorities or the victims


LEGAL and cyber-security experts are calling for data breach mandatory disclosure regulation to be introduced in Malaysia in light of increasing data breach cases in the last few years.

“There should be data breach notification law. Data subjects have the right to know that their information has been compromised and take steps to secure the data,” Bar Council’s information technology and cyber laws committee deputy chairman Foong Cheng Leong told The Malaysian Reserve (TMR) yesterday.

Foong said the Personal Data Protection Commissioner had introduced a consultative paper to propose the mandatory disclosure but the progress has been muted so far.

Currently, any parties suffered a data leak in Malaysia are not obliged to notify the authorities or the victims.

In Europe, under the general data protection regulation, any companies including foreign firms with an office and/or serve the European region are required to lodge a report of any data breach within 72 hours. Organisations face the risk of a fine up to 4% of global revenue in the event of a data breach.

Malindo Airways Sdn Bhd has become the latest victim of data breach, less than a month from the last reported case by Astro Malaysia Holdings Bhd. Passengers’ passport details, home addresses and phone numbers were believed to have been compromised due to a leak in the carrier’s cloud-based environment.

The local unit of Indonesian low-cost carrier PT Lion Mentari Airlines (Lion Air) said in-house teams together with external data service providers Amazon Web Services and GoQuo, an e-commerce partner, were investigating the matter.

“Malindo Air has put adequate measures to ensure the data of our passengers is not compromised in line with the Malaysian Personal Data Protection Act 2010. We also do not store any payment details of our customers in our servers and are compliant with the Payment Card Industry Data Security Standard,” the company said in a statement yesterday.

The latest incident saw four files, where each two belong to Malindo Air and Thai Lion Air, were dumped online by “Spectre”, a dark website operator that publishes download links of leaked data and stolen databases.

There were also references to Batik Air, another Lion Air unit that is based in Jakarta, Indonesia.

Meanwhile, cybersecurity expert Fong Choong Fook (picture) said a mandatory disclosure on data security breach would instil greater responsibility in local organisations.

“The government should look seriously into having the regulatory body to mandate the disclosure. Once you have the mandatory disclosure on security incidents, organisations would take higher responsibilities,” Fong told TMR.

Fong said not many companies, even if found guilty of data mismanagement, have yet been prosecuted in Malaysia.

He added that companies should run technical risk assessment, penetration testing and data encryption as proactive measures to prevent data leak. Security experts broadly said data breaches should be treated as natural disasters — one cannot control or predict it — but early preventive steps are needed.

Meanwhile, CyberSecurity Malaysia, the national cyber-security specialist, declined to comment about the Malindo Air case or the mandatory disclosure issues.

Last month, Astro suffered a second data breach 14 months after reporting a data breach that affected 60,000 of its customer details.

The satellite television (TV) operator said unauthorised access to customers’ MyKad data including name, identity card (IC) number, date of birth, gender, race and address were discovered.

In June last year, Astro said up to 60,000 Astro Internet Protocol TV customers’ details, which were specifically provisioned by Maxis Broadband Sdn Bhd were leaked.

Malaysia was rocked with the lar-gest data breach incident reported in October 2017, where 46 million personal records including IC numbers, addresses and mobile numbers were leaked.