KUALA LUMPUR – The recent data breach of the National Population and Family Development Board (LPPKN) database, orchestrated by hacker group R00TK1T, underscores the vulnerabilities in Malaysia’s data protection system, said a cybersecurity specialist.
Cybersecurity expert Murugason R. Thangaratnam said the incident serves as a stark reminder of the pressing need to fortify and enhance the country’s data security measures.
Last Monday, the online forum Lowyat.net reported that R00TK1T had successfully infiltrated LPPKN’s server, and claimed to have extracted 27 TB of data.
While LPPKN confirmed the cyberattack on their iKnow server, they assured that the compromised information was intended for internal use and does not pose a threat to their overall security.
Murugason criticised the government’s response, saying that they are not taking data breaches seriously enough and should assume greater responsibility for such incidents.
“The government has, as usual, denied any leaks before ordering an inquiry. Failing to recognise vulnerabilities can escalate minor threats into catastrophic breaches,” he said when contacted by Scoop.
“The right to privacy is a fundamental right, and this idea has to be recognised and accepted by data takers, whether in the government or private sector. They must also be accountable.”
Murugason emphasised that the right to privacy is a fundamental entitlement and should be acknowledged and upheld by both government and private entities handling data. He called for greater accountability on the matter.
The expert proposed three fundamental changes for the government and its affiliated agencies to adapt to the evolving challenges of the digital era.
Firstly, he recommended that cybersecurity agencies formulate a well-crafted action plan in response to cyberattacks.
“Cybersecurity programmes must shift their focus from attempting to prevent incidents to detecting and responding to failures when they inevitably occur. Adopt a ‘we will get breached’ mentality and stay prepared.”
“Secondly, the government must also expand their definition of ‘failure’ for systems and data to encompass more than just security risks. Digital failures are no longer simply security related but instead now involve a host of other potential harms, ranging from performance errors to privacy issues, discrimination, and more.”
He also mentioned that monitoring for failures is crucial for IT and cybersecurity teams, as it may take months to detect breaches and vulnerabilities.
“This is, sadly, not currently the case. It typically takes months to identify and contain a breach. And it’s all too common for agencies to learn about breaches and vulnerabilities in their systems, not from their own security programmes but through third parties,” he said.
The current reliance on outsiders for detection is itself an implicit admission that the government is not doing all it should to understand when and how their system is failing, he said.
“This does not mean, however, that third parties cannot play an important role in detecting incidents. Third parties still have an important role to play in detecting failures, as the government may not have the bandwidth,” he added. – February 21, 2024