Personal Data Protection Commission to probe data leak

PETALING JAYA: Police are suspicious that last year's massive data breach of mobile phone users and the recent data breach of over 440,000 organ donors and their next-of-kin from government hospitals and the National Transplant Resource Centre, were first reported on the Lowyat.net website.
"We find it suspicious and we will be in contact with the website administrators regarding this case," Inspector-General of Police (IGP) Tan Sri Mohamad Fuzi Harun said after officiating a Criminal Investigation Department investigation guidelines book handover at Sogo shopping centre in Kuala Lumpur today.
He noted that it was unusual that the reports of the two data breaches all appeared to originate from the same forum.
"The case is being investigated by the Federal Commercial Criminal Investigation Department (CCID)."
Mohamad Fuzi said little progress has been made in the probe into the previous data breach that saw the personal details of some 46.2 million mobile number subscribers in Malaysia leaked online last year.
"The case is under the Malaysian Communication and Multimedia Commission and we are only assisting them.
"We tracked the IP of the breach to four countries but haven't been able to move further with the case so far," he said.
Bukit Aman ​​Commercial CID (Cyber ​​and Enforcement Investigation) principal assistant director SAC Ahmad Noordin Ismail said the police will not initiate any probe into the latest breach unless there is a report lodged on the matter.
He added that other bodies, such as the Personal Data Protection Commission and the Malaysian Communications and Multimedia Commission (MCMC), would come in to start with the investigations.
"I have not seen any report yet so far ... we will come in only when someone lodges a report," he said.
Ahmad Noordin added that the task of identifying the source or suspects in the latest data breach would fall under the MCMC.
"They will have the capabilities as they are the regulatory body," he added.
He warned those who possessed any of the leaked personal data from the breach could be punished by law.
Meanwhile, Personal Data Protection Commission director-general Khalidah Mohd Darus said they take the breach very seriously.
She said the commission has taken note of the leak and has started investigations under the Personal Data Protection Act 2010.
Lowyat.net reported on Tuesday that the personal details of over 220,000 organ donors and their next-of-kin had been leaked online.
The website said the leaked data contains MyKad numbers, home addresses and telephone numbers of those who have made pledges, as well as the details of their nominated next-of-kin, which doubles to 440,000 the number of leaked records.
Malaysian Digital Economy Consumer Association secretary-general Muhammad Sha'ani Abdullah urged all government agencies involved in the collection of personal data to immediately institute data security measures to prevent any further breaches of such official databases.
"All incidences of data breaches involving government agencies should be investigated by Public Services Department and the head of department should be taken to task for such a breach.
"This repeated leaks involving government agencies that collate massive personal data makes the Personal Data Protection Act 2010 meaningless because it (only) covers private entities," Sha'ani added.