Audit: MySejahtera Data Breach Affected Three Million Users

A “Super Admin” account under the MyVAS system, which is used at vaccination centres to record and issue Covid-19 vax certs, downloaded the personal information of three million vaccine recipients from the MySejahtera app, according to the AG Report.

KUALA LUMPUR, Feb 16 – The personal information of millions of MySejahtera users has been exposed after an account authorised for vaccine administration stole data from three million vaccine recipients, revealed a national audit.

The latest Auditor-General’s 2021 report (Series 2) tabled in Parliament today revealed that a “Super Admin” account under the MyVAS system, which is used at vaccination centres to record and issue Covid-19 vaccination certificates, had downloaded the personal information of three million vaccine recipients from the MySejahtera app. 

The data breach took place between October 28 and October 31, 2021, using five different IP addresses, according to the national audit, citing an email from MySejahtera developer KPISoft Malaysia Sdn Bhd (company registration number 700674-U) (currently known as Entomo Malaysia Sdn Bhd) to the National Security Council (MKN) on November 2, 2021.

The incident was alerted to the National Cyber Security Agency (NACSA) and a police report was filed by the Ministry of Health (MOH) on November 5, 2021. The MOH, in a response to queries from the Auditor-General’s office in September and October last year, said police are still investigating the incident.

Authorities have been able to trace the data breach to a MyVAS “Super Admin” account, but the data field in which the millions of vaccine information was exported to has not been identified and remains under investigation. 

The user ID was deactivated on November 2, 2021.

MyVAS administrators or “vaccine admins” have back-end access to various records on the government health app, including to upload or download Covid-19 vaccination appointments, exemptions, and vaccination records from Excel onto MySejahtera in bulk or individually; to update or remove vaccination appointments; and perform checks on vaccination records.

The MOH has verified the incident in its meeting minutes (Minit Mesyuarat Keselamatan MySejahtera Bil 1 Tahun 2022). The ministry admitted that the “Super Admin” account had received registration approval from the ministry, which it said had been abused.

The MOH has since cancelled the user account, added anomaly detection to block repeated requests made from the same source, informed NACSA to block repeated requests identified through anomaly detection, and installed a web application firewall on the cloud on November 1, 2021, as preventive measures.

Third-Party, General Users Have Over 80% Admin Access On MySejahtera

The Auditor-General’s report found that 103 users were given access permissions as “admin” for the MySejahtera app. MySejahtera administrators can edit or update personal user information, and set questions under “Custom Form Admin” to obtain information on Covid-19 Risk Status and Covid-19 Self-Test, among others. 

Of the 103 MySejahtera administrators, over 83 per cent (86 users) were either third-party users (77 users) or general users (9 users). Authorised users under the MOH made up only 16.5 per cent (86 users) of administrators for the MySejahtera app.

The audit also found that the bulk (70 per cent) of MyVAS administrators are third-party users (52 per cent) and general users (18 per cent). MOH users formed less than a third (30.4 per cent) of the administrators. There are 56 MyVAS administrators in total.

In their defence, the MOH told government auditors last September 9 and October 14 that all accounts under MySejahtera and MyVAS have been identified and authorised. 

The ministry said the role of third-party and general administrators for the MySejahtera app, employed under MySJ Sdn Bhd (company registration number 1385845-M) – the private company operating MySejahtera – was to run the helpdesk, which dealt with manual uploads of Covid-19 vaccination records, appointments, and public complaints.

MOH told auditors that all admin accounts under MySJ have since been deactivated.

The A-G warned that granting permissions to third-party or general users with access control could pose a risk to data security that is necessary to ensure the smooth delivery of government services.

You may also like