Deputy Minister Claims MySejahtera Wasn’t Breached, Contradicting Auditor-General’s Report

Lukanisman Awang Sauni claims in Parliament that the download of 3 million vaccine recipients’ data by a MySejahtera Super Admin account was actually a “security measure”, contradicting MOH’s own response to the Auditor-General that described it as abuse.

KUALA LUMPUR, Feb 27 – Lukanisman Awang Sauni claimed today that the MySejahtera health application did not suffer a data breach involving three million Covid-19 vaccine recipients, directly contradicting the Auditor-General’s findings.

Instead, the deputy health minister claimed that the downloads of personal information of three million users by a “Super Admin” MySejahtera account, as reported by the national audit, were a “security measure” in response to 1.12 million attacks on the app. 

“What happened was that the MySejahtera party managed to control those attacks and no breaches had occurred; just that what was reported was that Super Admin’s download of three million data was a security measure taken,” Lukanisman told the Dewan Rakyat today during Question Time.

“When the attacks occurred, Super Admin was forced to perform an administrative action (tata kelola) to look and to upload the said data. I’m unable to explain this case in the House because the upload of the three million data is still under police investigation.”

The deputy minister was responding to a supplementary question by Kuala Langat MP Dr Ahmad Yunus Hairi, who is also the head of Perikatan Nasional’s health committee, who had asked how the government could guarantee the security of the MySejahtera app, following the Auditor-General’s revelation of the data breach.

Lukanisman’s remarks in Parliament today were in direct contradiction of both the findings of the national audit and the Ministry of Health’s (MOH) own response to the Auditor-General, as disclosed by the Auditor-General’s 2021 report (Series 2) that was tabled in Parliament last February 16.

According to the AG’s Report, citing MySejahtera Security Meeting Minutes No 1/ 2022, a total of 1.12 million attempts to breach the MySejahtera app using a certain IP address from October 27, 2021.

MOH’s response to auditors on September 9, 2022, as reported in the AG’s Report, said that the IP address was blocked on October 28, 2021 and that a police report was filed on November 5, 2021 to identify the cause of the attacks and improvement measures.

Then, the Auditor-General highlighted that a “Super Admin” account had performed “suspicious access” and downloaded the information of three million vaccine recipients from the MySejahtera app, citing the same MySejahtera security meeting minutes. These downloads occurred from October 28 to October 31, 2021, using five different IP addresses.

MOH’s response to the national audit on September 9, 2022 and October 7, 2022, as reported in the AG’s Report, said that the downloads of vaccination data were made through a MyVAS Super Admin account and that the said user ID was deactivated on November 2, 2021. 

MOH also told auditors that it could not identify what datasets had been downloaded by the Super Admin account and that this was still under police investigation.

“MOH has confirmed the incident as minuted in the MySejahtera Security Meeting Minutes No 1/ 2022. The supplier stated that on October 28, 2021, a Super Admin account, which had been approved for registration by MOH, was abused and sent an application to download the data of three million vaccine recipients through the MySejahtera system,” read MOH’s response to auditors. 

“As soon as this was identified by the supplier, that account was immediately blocked. This incident was reported to NACSA (National Cyber Security Agency) and a police report was filed on November 5, 2021.”

The AG’s report does not state that the download of personal information of three million vaccine recipients from the Super Admin account was a “security measure” in response to the 1.12 million attacks on the MySejahtera app, as claimed by Lukanisman in Parliament today.

You may also like