PETALING JAYA: A hacker attack which may have led to data theft has seen the Social Security Organisation (Socso) become the latest government agency to find itself under the cybersecurity spotlight.
Experts are now raising questions about the measures the government needs to take to safeguard Malaysians’ personal data.
Although Socso has said a management plan was activated to minimise damage, cybersecurity law expert and lawyer Derek John Fernandez called for a review of existing systems and cybersecurity practices.
Socso had earlier confirmed that its information database and website were hit by a cyberattack last Saturday.
“There must be a thorough review of data storage and information security protocols in agencies with critical operations or holding substantial personal data,” said Fernandez.
He added that there is a need to conduct regular and comprehensive vulnerability and security assessments and audits.
Fernandez recommended that the government engage and enlist CyberSecurity Malaysia (CSM) and other authorised cybersecurity professionals as it’s “a big job and will require a lot of expertise”.
In October, CSM said the government sector experienced the greatest number of data breaches in the first half of the year.
Its Mid-Year Threat Landscape Report 2023 said the sector accounted for 22% of all breaches, leaking a total of 291.49GB of data, and added that ministries and agencies “are exposed to significant cyber risks, including vulnerable software, weak access controls, data exposure and other critical issues”.
It recommended a comprehensive assessment across all government agencies, proposing that it cover web and hosting infrastructure, data centres, internal systems and the ministry’s entire ecosystem.
Last month, cybersecurity company Surfshark ranked Malaysia as the eighth most breached country in the third quarter (Q3) of 2023, with 494,699 leaked accounts.
The breach rate was 144% higher in Q3 2023 than it was in the earlier quarter.
A post on BreachForums made on Dec 5 included a YouTube video link that purportedly featured a recording of a meeting involving Socso’s top management discussing the incident.
The video was removed from YouTube after Socso issued a copyright claim strike against it.
The forum post also contained samples of personal data allegedly obtained from the said incident.
According to Socso, it was hit by a cyberattack on Dec 2 but managed to successfully contain the incident, preventing any impact on its daily operations.
It also said this was not the first time it had come under cyberattack, as it faced a series of such attacks, with the most recent one occurring in September; it claimed that this too was contained.
Malaysia Cyber Consumer Association president Siraj Jalil said the latest incident was worrying as this was not the first time a government agency had been involved in a data leak.
“Socso holds a lot of sensitive credentials, so it’s not hard to see why it was targeted by cybercriminals,” he said.
He said it was crucial now for the government to walk the talk on cybersecurity reforms and take action.
“People are getting restless. They want to see what action the government is going to take and who will be held accountable here,” he said.
Cybersecurity company Wilstech chief operating officer Ernie Tan said organisations that have been affected by a cyberattack should inform relevant parties if their data has been compromised.
“In Socso’s case, they should reach out to any affected party to remind them to be extra vigilant.
“If any information has been leaked, people have the right to know to protect themselves from possible scammers or cyberthreats,” he said.
Communications and Digital Minister Fahmi Fadzil was quoted in a Bernama report as saying that CSM, the National Cyber Security Agency, and the Personal Data Protection Department will conduct investigations into reports that Socso’s website had been hacked.
He urged the public to give the agencies time to gather additional information.
“Sometimes what is shown on the dark web is old information that is repackaged and passed on as new information. My office will issue a statement later,” he said.
Fernandez, meanwhile, warned that security concerns should not be overlooked, especially with the implementation of the MyDigital ID intended to unify logins to government services.
“Malaysia launched a digital ID, Singapore has done it too, and of course, every crook in town will want to defeat the system or hack the digital ID because it can open a lot of doors.
“So you can expect bad actors to be focusing on your system because there is a lot to gain,” he said.
Fernandez said proactive action is needed to determine the state of criminals’ technology and capabilities so that precautions can be taken.
“We cannot lose sight of looking into the regular health and security checks for the system and the operating procedures. We also need to know about threats and risks through the use of threat assessment and intelligence technologies,” he said.