KUALA LUMPUR, May 31 – A government website by the Ministry of International Trade and Industry (MITI) allegedly exposed personal information of employees registered for the Public-Private Covid-19 Industrial Immunisation Programme (PIKAS), a cyber security expert claimed.
MITI required companies to register their staff online for PIKAS — a Covid-19 vaccination programme for the manufacturing sector — via the PIKAS system at https://pikas.miti.gov.my/ from July 1, 2021, after PIKAS was launched last June 16, according to a PIKAS FAQ.
Suresh Ramasamy, who formerly headed IT security at a bank and two telcos in Malaysia, said that this application process required companies to upload an Excel spreadsheet to the PIKAS system that contains the following information: company name, staff name, identity card number or passport number, phone number, and role or position.
However, Suresh said he discovered that a server under MITI’s domain (https://pikas.miti.gov.my/) showed multiple open directories, including one containing more than 2,000 files. The Excel files in the directory were the same files that companies were required to upload onto the PIKAS system.
Suresh posted on his LinkedIn account screenshots that showed a directory of files under the PIKAS website and a spreadsheet with the names of Malaysian individuals, their IC number, employee ID, age, gender, and contact number.
“Some of the organisation names indicate [a] large number of staff (based on publicly known data), which gives rise to the conclusion that there was more than a million records of personal information that was left open for anyone to access,” Suresh wrote in an article on LinkedIn today titled “EXPOSED! Millions of Malaysian personal data exposed by a govt site”.
“Since it’s left open, its best to confirm that the data is probably out in the wild, to anyone who has access to internet.”
Deputy International Trade and Industry Minister Lim Ban Hong reportedly said last July that 17,053 companies with 1.3 million workers nationwide had registered for PIKAS as of July 24.
Suresh noted that the /storage directory on MITI’s site, which contains many other directories, was left open, surmising that this could be intentional.
“The reason behind this hypothesis is that there was another directory called logs, with filename starting with the word ‘laravel’,” he said, referring to Laravel application logs that are left open to provide the vendor access for troubleshooting the application.
On why Excel files containing Malaysians’ personal data were left open on MITI’s site, Suresh theorised several reasons:
- “An eager beaver wants to take home work, asks IT admin to leave the files open so that they can copy it at home and do that number crunching so that M gets his report on time.
- IT dev team needs the files to do some batch processing and needs to transfer the files to a different server, leaving an open directory makes it easy to move files around.
- Malicious staff wants to sell data to interested parties, and has access to the server to move files around.”
Suresh, whose LinkedIn profile states that he has vast experience in NCIS (Network, Cyber & Information Security, Cyber Threat Intelligence, Machine Learning), said it was unknown how long the information was left open.
“Only MITI IT folks will be able to tell based on the server logs (if that is enabled).”
MITI’s PIKAS site was taken down today, shortly after Suresh’s article was posted on LinkedIn.
A May 27 email from CyberSecurity Malaysia, a national cyber security specialist agency under the Ministry of Communications and Multimedia, closed the case on Suresh’s May 22 complaint about the open storage of sensitive information on the PIKAS site.
“Please be informed that the content you reported to us are no longer available. We hope this is of help and with this we shall close the case,” read the email from [email protected] to Suresh, as sighted by CodeBlue.
Previously, CyberSecurity Malaysia told Suresh that it had “already taken action to notify and advice the respective party accordingly.”
Suresh wrote on LinkedIn that such incidents further eroded public trust in the government’s ability to safeguard personal data, pointing out that the Personal Data Protection Act (PDPA) 2010 “conveniently excludes government agencies from being responsible for managing data”.
“The scale of data being lost is huge, and has far-reaching impact beyond just today’s article.”
The PDPA – meant to regulate the processing of data in commercial transactions — is exempted for the federal and state governments.
CodeBlue has contacted Senior International Trade and Industry Minister Mohamed Azmin Ali and MITI’s corporate communications department for comments on this incident.
The revelation of purported poor data security practices by MITI comes after Parliament’s Public Accounts Committee (PAC) highlighted last March uncertain app and data ownership on the national Covid-19 app, MySejahtera.
The MySejahtera issue has yet to be resolved, as Health Minister Khairy Jamaluddin has not announced any contract with MySJ Sdn Bhd, a new private company that was directly appointed by the Cabinet for the MySejahtera project. PAC is scheduled to table its report on the development and procurement of MySejahtera in the upcoming Parliament meeting in July.
Just two weeks ago, tech site Lowyat.net reported that a National Registration Department (JPN) dataset — which contains the full name, IC number, address, date of birth, and mobile number, among other personal details — of roughly 22.5 million people in Malaysia born from 1940 to 2004 was offered for sale on the internet.
Home Minister Hamzah Zainudin denied that the dataset belonged to JPN; police are investigating the incident.
