In mid-May 2022, an alleged data leak involving the information of 22.5 million Malaysians born between 1940 and 2004, purportedly leaked from the national registration department, Jabatan Pendaftaran Negara (“ JPN”), grabbed the national headlines.
A Malaysian technology portal reported that the database (a sizeable 160GB) was being flogged on the dark web for US$10,000. The Minister of Home Affairs denied that the purported data leak came from JPN, but rather from "several agencies which we have given some leeway for them to obtain information from us". It was speculated that the leak may have involved the myIdentity API (Application Programming Interface) and the authorities are reportedly still investigating the source of the leak.
Just a few weeks before this leak, a database purportedly containing the information of over 800,000 Malaysians obtained from the Election Commission’s website was offered for sale for USD2,000.
A third leak was reported on 31 May 2022. A website of the Ministry of International Trade and Industry (“MITI”) allegedly exposed the personal information of employees registered for the Public-Private Covid-19 Industrial Immunisation Programme (“PIKAS”). As part of the Covid-19 government initiatives, MITI required companies operating in Malaysia to register their staff for PIKAS via the PIKAS online system. Companies were required to upload to the portal, an Excel spreadsheet containing the company name, staff name, identity card number or passport number, phone number, and designation. It was discovered that a MITI server showed multiple open directories, which made it possible to access over 1 million records of personal information. MITI’s PIKAS site was taken down after this disclosure by a local cyber security expert was reported in the local media.
These recent leaks are not isolated cases, the Special Functions Minister in a parliamentary reply in December 2021 stated that between 2011 – 2021 there were 8 cases of significant personal data leaks involving 67.5 million personal records of users which were stolen and sold on the dark web.
It should be noted that the Malaysian federal and state governments, including government agencies, are exempted from the Malaysian Personal Data Protection Act 2010(“PDPA”). As such, the public sector’s collection, use and processing of personal data do not come under the PDPA (including the PDPA penalties and enforcement measures), and the public do not enjoy the safeguards provided under the PDPA in relation to their personal data in the hands of the Government. This is unlike other countries like the European Union, South Korea and Australia for instance, where their governments are subject to personal data protection laws and are accountable for breaches of the legislation.
Another shortcoming of the PDPA 2010 is that it does not provide for data subjects to claim compensation for the wrongful use of their personal data or for breaches of the PDPA. This is unlike the General Data Protection Regulation (GDPR- Directive 2018/680) which applies to all members of the European Union and the countries of the European Economic Area. Article 82 of the GDPR gives any person who has suffered material or non-material damage resulting from a breach of the GDPR the right to receive compensation from the data controller or processor for the damage suffered, which would include public authorities and agencies.
There are growing calls for the Government to amend the PDPA to improve the legislative safeguards and beef-up enforcement, and to relook the role and functions of the Personal Data Protection Commissioner in administering and enforcing the PDPA.