KUALA LUMPUR - Users of the Malaysian Road Transportation Department's VEP (Vehicle Entry Permit) website can no longer see the personal data of other motorists, a day after The Straits Times reported that personal information of foreign motorists can be seen on the site following a loophole.
This comes as Malaysia's transport ministry said on Saturday (April 27) that it takes data security "seriously", although it did not explain how sensitive information like a driver's NRIC number, address, contact numbers, passport details and chassis information could be seen on the website by simply making an alteration to the site's URL.
"Data security is a matter that we take seriously. It is of utmost importance to us and we are treating it with great urgency," it said in a statement.
"The VEP portal deploys a 'same-origin policy' where it only allows scripts on a first Web page to access data on the second Web page, and only if both are of the same origin. This policy prevents any malicious attempts to obtain access to sensitive data on one page to another page."
The discovery was made by accident after Singaporean driver Mohammad Hafiz "cut and pasted" the website's URL and sent it to his nephew on Friday morning to help him register for his VEP.
Mr Hafiz, 28, told The Straits Times: "When he opened the page, he was surprised he was staring at my own details and not his."
When Mr Hafiz, an IT specialist, made some changes to the URL that showed his VEP account, he was able to see sensitive information of other motorists in a matter of seconds.
Experts said that it is possible that the data has been accessed by external parties.
ST alerted the Malaysian authorities to the data loophole around noon on Friday and at 5pm the same day, access to the website was blocked, with a message alerting users that maintenance was ongoing.
The ministry said on Saturday that "after thorough investigation", the VEP portal is now accessible although it did not say what steps it took to resolve the problem.
When ST tried to access the site at 10am on Saturday, it was fully accessible and the loophole seemed to have been plugged.