PETALING JAYA: There is a pressing need to fortify the government’s newly launched Central Database Hub (Padu) and zealously guard the privacy of the massive amounts of information in it, data security experts have warned.
Former Malaysian Communications and Multimedia Commission (MCMC) chairman Dr Fadhlullah Suhaimi Abdul Malek said the risk of a data breach will always be there.
“On Padu as a database, I am sure they have considered the security aspects. ‘How secure’ is always a question. If the processes are done right and with discipline, such as regular penetration checks, then the risk of it being breached is minimised.
“An example is our switching database for payments run by PayNet that has been in operation for some time now and which has not had any breaches.
“PayNet conducts stringent cybersecurity assessments regularly,” he added.
Fadhlullah said the initial policy for such a database was for data to be stored on a local cloud, adding that MyDigital Blueprint should have hyperscalers investing in Malaysia.
“That will give sovereignty to where the data is even if in the cloud. Usually, there is such a thing called a private cloud – which is normally used by governments or big corporations, and this tends to be very secure.
“As to the past breaches of personal data, these breaches tended to happen at the user end rather than at the source. For example, the breach at a bank and the Employees Provident Fund was due to scammers,” he claimed.
Statistics Department chief statistician Datuk Seri Mohd Uzir Mahidin said that currently, Padu’s security will be borne under the department’s current budget with some of the security barriers already in place.
“Our main storage is on our premises. Only during the updating process of 39 variables will we use the local cloud. As to whether we have enough human resources, we have 49 certified data scientists who will be working on Padu.
“Should we need to step up security, we may increase the allocation for it later,” he said.
CyberSecurity Malaysia (CSM) chief executive officer Datuk Dr Amiruddin Abdul Wahab said threats against the important data of millions of people are not only real but changing every second with the advancement of technology.
He said while this was a concern, one should not worry too much as the authorities in charge have taken all the necessary steps to ensure Padu is secure.
“CSM was tasked with conducting a Security Posture Assessment (SPA) as an independent third party.
“However, the overall requirements and ownership belong to the Malaysian Administrative Modernisation and Management Planning Unit (Mampu) and the Statistics Department.“Generally, the cloud is secure for storage, and it is based on the cloud security controls implemented by the cloud service provider,” he added.
Cybersecurity consultant Fong Choong Fook urged the government to publish a White Paper detailing how the entire database was architected, including how data is retrieved, consolidated and secured within the centralised database, in order to boost public confidence in Padu.
The LGMS Bhd founder and executive chairman said questions on cybersecurity strategy, how the database is structured, what security controls are in place, what encryption measures are being employed to protect and ensure the security, integrity and confidentiality of Malaysian data must be answered.
“If there is a target for me as a hacker, I would be looking at this centralised database because it contains details of every single Malaysian.
“There are many layers of security that we must be concerned with. When you put everything into one centralised database, you are creating a huge liability,” he added.
Fong said rather than Padu, it would be “more modern and elegant” to handle and retrieve data by developing a super-centralised API (Application Programming Interface) gateway connecting various data sources, such as done by Singapore.
“This API gateway would offer granular control over data access, enabling the government to define access policies, enforce security measures and minimise exposure to sensitive data. In other words, only provide access to what is needed, not everything at once.
“This approach enhances security and promotes transparency in data handling and retrieval, and it will be much more manageable when managing API access instead of database access,” he added.