PETALING JAYA: The number of data breaches involving Malaysian social media accounts could be higher as most remain unreported, says a cybersecurity expert.
Taylor’s University cybersecurity lecturer Assoc Prof Datuk Dr Husin Jazri said a much comprehensive survey is needed to ensure reliable statistics involving data breach.
“The base survey should be well defined with large enough samples needed before we can arrive at any conclusion.
“Unfortunately, there are no reliable statistics in Malaysia when it comes to data breach as many cases are not reported and go unnoticed,” he said.
Cybersecurity company Surfshark’s recent survey found that the number of breached accounts in Malaysia had decreased.
During the first quarter of 2024, it was found that there were more than one million compromised accounts. The number declined to 364,259 in the second quarter.
Husin said with the newly gazetted Cyber Security Act 2024, data breach could be managed in a stricter way, adding that critical infrastructure companies were mandated to report data breach to the central agency and regulatory bodies.
“Government agencies are not exempted from the Cyber Security Act unlike the Personal Data Protection Act. Thus, I am anticipating wider action to curb data breaches in the country.
“This is a very positive development for all, good for the businesses and for customers’ data protection,” he said.
Cybersecurity firm LGMS founder Fong Choong Fook agreed, saying that the Act would improve data protection in Malaysia.
He said organisations that fall under 11 types of critical national infrastructure would be required to report and support the government in the investigation of data breaches.
“As a part of the Act too, the organisations listed are required to carry out preventive methods. This will greatly help in curbing data breaches,” he added.
According to the Cyber Security Act, the organisations legally bound to report and prevent data breaches include government agencies, banking and finance, transportation and healthcare services.
The Act was officially gazetted on June 26.
The legislation introduced several important features such as the setting up of the National Cyber Security Committee, though it has yet to be enforced.
According to Husin, Internet users can protect themselves by refraining from sharing personal information online.
He stressed that the public needs to be critical of what is being requested from them as online users.
“From a technological perspective, the use of personal encryption solutions and personal device firewalls are two important mechanisms to ensure that data remains encrypted until you want it to be released or shared with others,” he added.
Husin said data breach goes beyond personal data as it involves business data, and regulators must be made aware of any incidents when they occur.
“Unfortunately, in many cases, we will only know about data breach after the incident happens and it is already out in the public space.“A simple piece of advice – never do business with any company or organisation that does not show commitment to data protection or does not assure customers of their obligations to do so.
“Silent boycotts can be powerful if done collectively to show consumers are in charge of their personal data,” he said.