IT has happened again. This time at Universiti Teknologi Mara (UiTM) where records of just over a million students have been leaked.
Is it an inside job? Hard to tell, but UiTM is probing.
UiTM sources contacted by the New Straits Times say it may just be put together from multiple sources by some hackers to make it look like it is from the university’s database.
The reason: screenshots of the leaked data viralled are not in the format used by UiTM. We have no reason to doubt this as the institutions firewall bears the stamp of Sirim. Plus, this is the university which has put a satellite — UiTMSAT-1 — in orbit and is in the process of launching another, this time in collaboration with six others, by 2021.
So they do know a fair bit about firewall and data security.
If UiTM is right, the culprits must be out there, either in Malaysia or beyond. They are not unreachable, though a little difficult to identify.
The Malaysian Communications and Multimedia Commission (MCMC) must actively pursue them and bring them to book. We are still smarting from Malaysia’s biggest data breach in October 2017 when 46.2 million mobile subscribers’ data, among others, were leaked online.
Imagine the scale of the leak.
Malaysia’s population is only 29 million while the leaked data are just shy of 50 million.
We have the Personal Data Protection Act 2010 (PDPA) which regulates the processing of personal data in regard to commercial transactions but has it been enforced with vigour?
Not as vigorously as we expect given the number and scale of data breaches since PDPA was gazetted in June 2010.
The first data user — a local private college — was not charged until May 3, 2017 for processing personal data of former employees of the college without a valid certificate of registration in contravention of section 16(1) of the PDPA.
Section 16(1) requires some types of users to be registered and to be issued with a valid certificate by the Personal Data Protection Department.
Since then there has been a dearth of high-profile cases although there have been high-profile breaches. Perhaps the MCMC was giving data users time to implement policies and procedures that were in line with the PDPA before it went into full swing.
But that swing is long overdue.
The PDPA also seems not to have a bite that is harder than its bark. Take the case of the first data user to be charged under the PDPA. The private college operator was charged in the Sessions Court under Section 16(4) of the PDPA which provides for a fine of up to RM500,000, or imprisonment of its officers for up to three years, or both. This is akin to a slap on the wrist of criminals. And a corporate one at that. The consequences for the victims and their families of identity thefts are humongous. It is life threatening even. MCMC must not only go after them with vengeance but also seek to amend the PDPA to give it a harder bite. People must not be allowed to profit from someone’s misery.