Malaysia’s new database plan runs into privacy concerns amid recent hacks, data leaks

This came after former deputy international trade minister Ong Kian Ming revealed that anyone with knowledge of another person’s identity card (IC) number can register as that person, provided they also know the person’s home postcode.

The account allows the public to declare banking information, income, and dependencies that will give the government a better understanding of the needs of the individual.

“Anyone with your IC and postcode of your IC address can register your IC on your behalf,” Ong wrote on social media platform X. “It will be a hassle to get back your account.”

Why Singapore’s new AI plan could help Asia’s cybercrime fight

Rafizi said such registration, although possible, is only recorded in the database once the account holder completes the electronic Know Your Customer (eKYC) process, which requires sending photos of the IC and a selfie of the account holder.

“Until the eKYC process is completed, the registration is pending and invalid,” Rafizi said. Since the launch, over 230,000 people have registered, with 71 per cent having their eKYC verified.

The minister said the loophole was by design, allowing people to access the platform ahead of the eKYC process as it might take some time for them to be verified.

“If it happens that an account is registered by someone else, users can directly go to the help desk – online, call centres or physical counters,” he added.

But the public was not swayed by Rafizi’s assurance, and calls have mounted for the registration process to be suspended pending a proper fix.

“The correct solution is to turn off the system and get the flow right, first. Then only turn it back on for registration,” computer engineer Shawn Tan said on X.

Concern over data security and protection against breaches is high in Malaysia after repeated revelations of hacks and data theft over recent years.

In 2022, the personal data of 22.5 million citizens, ranging from their full names to identification numbers, home addresses, phone numbers and ID photos, were stolen from government servers and sold on the dark web for a reported price of US$10,000.

Malaysian PM’s messaging accounts hacked as officials deny data breach crisis

The data was then made available on the internet, allowing anyone to gain access to everything from names and addresses to voting constituencies and student loans by just keying in a Malaysian IC number.

Then-prime minister Ismail Sabri and members of his cabinet had their Telegram and Signal private messaging accounts hacked and abused to scam people.

A cybersecurity report by Surfshark, a virtual private network service provider, ranked Malaysia as the “eighth most breached country” last year, with more than 490,000 leaked accounts.

The report found that data breaches in Malaysia had risen by 144 per cent in the third quarter of 2023, compared with a 76 per cent decline in such incidents globally in the same period.