Purge data and restart: Experts urge Malaysia govt to fix security flaws in new central database

Malaysia's Economy Minister Rafizi Ramli, who is in charge of the new central database, has dismissed the security concerns. PHOTO: BERNAMA
Azril Annuar
Malaysia Correspondent
Updated
Jan 10, 2024, 10:40 PM
Published
Jan 09, 2024, 10:00 AM

KUALA LUMPUR – The public data in Malaysia’s recently launched central database Padu, which has drawn flak for security loopholes, should be purged as the data can no longer be trusted, said a cyber-security expert.

And the best move for Economy Minister Rafizi Ramli, who is in charge of Padu, is to do this as soon as possible, independent cyber-security consultant Dinesh Nair told The Straits Times.

“Given that there have been multiple anecdotal examples of people registering for others, you really can’t trust that the data in Padu belongs to the person who signed up. To take a safe approach to fix this, they should take it offline, completely fix everything, conduct a security audit and fix the loopholes.

“They should also purge all the data and restart public registration from scratch,” he said.

By Jan 7, the system had garnered nearly 800,000 registrations, with the government aiming for 29 million registrations by March 31.

Account holders are required to input their basic information and address, education level, occupation, income, household information, commitments and any aid received from the government. This data will be used to form profiles for individuals and households.

Padu, a socio-economic database combining personal as well as government data, was designed to ensure well-targeted distribution of aid such as fuel subsidies and welfare handouts to those who need it.

The central database system was launched by Prime Minister Anwar Ibrahim on Jan 2, but concerns about identity theft emerged the next day after users were able to register accounts for others just using their identity card numbers and postcodes.

Among its foremost critics is former international trade and industries deputy minister Ong Kian Ming, who has proposed the system be suspended.

“There is a major security issue with the registration of Padu whereby if you have the IC number and the postcode associated with the IC address of a user, you can register for the Padu account for that person without having to go through the E-KYC process,” said Mr Ong, referring to the electronic know-your customer method that requires users to upload photographs of their IC and a selfie.

He said he registered Padu accounts this way for four of his colleagues from the Democratic Action Party, which is part of the ruling government, namely ministers and deputy ministers Hannah Yeoh Tseow Suan, Steven Sim Chee Keong, Liew Chin Tong and Teo Nie Ching.

Mr Rafizi has dismissed the security concerns, saying that security issues such as using IC numbers to override passwords will be addressed soon, and that only profiles that have been confirmed under the E-KYC system will be accepted by the authorities.

Lawyers for Liberty has also asked the government to suspend the initiative until Malaysia’s Personal Data Protection Act (PDPA) has been amended to ensure that government agencies are held accountable if data from Padu is leaked or stolen.

The human rights legal association said Padu puts the public at a “terrible disadvantage” and in danger of loss or damage in case of a data security issue.

More On This Topic
Data of 22.5 million Malaysians born 1940-2004 allegedly being sold for US$10k
Team behind Malaysia's Covid-19 tracking app says no user data leaked amid 'malicious' activity

Hitting back at the group, Mr Rafizi said government agencies have their own regulations concerning data and do not fall under the PDPA, and it does not make sense to postpone the project until the law has been amended.

Political analysts said that Mr Rafizi’s behaviour is typical of the ruling Pakatan Harapan (PH) coalition, which is strongly opposed to criticism.

“PH... does not take kindly to criticism – which it sees as nothing but deliberately opportunistic political moves from detractors – much less apologise or reverse course,” said Dr Oh Ei Sun, a senior fellow at the Singapore Institute of International Studies.

Similarly, Universiti Kebangsaan Malaysia Institute of Ethnic Studies deputy director Kartini Aboo Talib said the ruling government should just admit to its mistake.

“They are showing their true colours: always defensive and in denial. It is acceptable for them to be honest and accept the fact that Padu still has technical anomalies that are common when running a new system,” she told ST.

Cyber-security expert Dinesh said public trust in the system has already been eroded, and there is no urgency to rush the development of such a critical platform.

“Even if the data entry has been done accurately, the trust is not there any more. They should bite the bullet and ask the public to sign up again once everything has been fixed. The sooner the better as there will be less data to purge,” he added.

More On This Topic
Concerns over India's national biometric ID persist despite withdrawal of security warning
US woman used identities of dead people to get tax refunds, payouts

Join ST's Telegram channel and get the latest breaking news delivered to you.

Available for
iPhones and iPads
Available in
Google Play

MCI (P) 066/10/2023. Published by SPH Media Limited, Co. Regn. No. 202120748H. Copyright © 2024 SPH Media Limited. All rights reserved.

Back to the top