Heavier fines for hackers, hasty data holding firms

There is a need to revise and enhance PDPA 2010 as cases of data breaches start to pile up

by RAHIMI YUNUS/ graphic by TMR

CYBERSECURITY Malaysia has proposed a heavier penalty against data breach offenders and companies that failed to safeguard the customers’ data as incidents of digital theft and hacking continue to cause panic among consumers.

The cyber security specialist agency under the Communications and Multimedia Ministry has recorded 7,667 cases of cyber-related incidents for the first nine months of this year, compared to 6,182 cases recorded during the same period a year ago.

The figures from the agency showed that for January through September 2019, a total of 1,025 cases of intrusions have been recorded, intrusion attempts (69) and malicious codes (515), creating fear of the security of the country’s information technology infrastructure.

For the whole of last year, 1,805 intrusion attempts were recorded, intrusions (1,160) and malicious codes (1,700).

More malicious codes are used to cause security breaches or intended to damage systems.

CyberSecurity Malaysia CEO Datuk Dr Amirudin Abdul Wahab said a heavier penalty is required to counter the rising cases of system hacking and intrusions.

“We should impose a heavier penalty for data breach offenders, including companies that neglected security aspects when it comes to safeguarding customers’ data,” he told The Malaysian Reserve (TMR) recently.

He said there is also a need to revise and enhance the Personal Data Protection Act (PDPA) 2010 as cases of data breaches start to pile up, threatening the personal information millions of Malaysians.

“There are some suggestions on the need to revise and enhance the PDPA 2010, which is under the purview of the Personal Data Protection Commissioner Malaysia,” he said.

TMR reported that there are 178 cases of data breach to date, almost a 200% jump than the 63 attacks recorded last year, according to Malaysia Computer Emergency Response Team of CyberSecurity Malaysia’s figures.

In 2017, only 19 cases were reported in Malaysia but the advancements in hacking techniques and the almost muted responses to calls to enhance complex network systems had made many organisations vulnerable targets.

Experts believe the number of cyber attacks and intrusion victims is higher as many companies and organisations do not report such incidents. Making public cases of intrusion and digital information loss can cause significant reputational damage, customers’ trust deficits and welcome legal implications.

Amirudin said one of the recommendations is to enforce the critical national information infrastructure (CNII) sectors and for the private companies to develop a data breach management plan to limit the damages due to such incidents.

The CNII sectors and local companies should implement an information security management system and obtain the ISO 27001 certification to help counter such incidents, he said.

CNII sectors include national defence and security, banking and finance, information and communications, energy, transportation, water, health services and few others.

Amirudin said the sudden spike in data breach is largely driven by the financial gains by intruders who can sell personally identifiable information (PII) data.

He said there is a high demand for PII data in the dark web or the underground economy.

“This could fuel the rise in data breach incidents. There are also readily free available tools to launch a data breach attack,” he said, adding the lack of security measures and policies in an organisation can lead to digital breaches.

Amirudin said, based on the agency’s analyses, government or private websites have unpatched vulnerabilities that open the door for illegal entry.

Improper control of data circulation involving third parties such as vendors and developers, insider threats and improper system configuration are among other flaws identified in the data security infrastructure.

Malaysia was ranked fifth-worst in privacy protection among 47 countries studied by Comparitech.com, a UK-based technology research firm.

Malaysia scored 2.6 out of five, signalling the existence of safeguards but weak against all threats. Other countries in the rankings are Thailand (2.6), India (2.4), Russia (2.1) and China (1.8).

Comparitech.com said the introduction of the PDPA 2010 did increase Malaysia’s data privacy protection, but the laws need to be updated as technology advances.

A survey by Chubb of Small and Medium Enterprises (SMEs) revealed that 84% of SMEs in Malaysia were affected by cyber incidents in the past year.