On August 2022, we covered news where iPay88 issued a media statement saying that card data might have been hacked. This was a big issue because many customers and companies use their system on a daily basis.
Today, Bank Negara Malaysia (BNM) has issued a statement regarding the incident.
We refer to our statement on 12 August 2022 on iPay88 (M) Sdn. Bhd., a provider of payment gateway services to banks and merchants.
Following the completion of the independent forensic investigation, iPay88 has taken the necessary containment and rectification measures to address gaps that were identified. In addition, BNM has also instructed iPay88 to undertake additional measures to further strengthen its cyber security controls and IT infrastructure. These measures are aimed at ensuring that similar incidents do not recur in the future and to safeguard against future threats. BNM will continue to closely monitor iPay88’s implementation of these measures and where appropriate, will undertake further supervisory or enforcement action.
BNM has also directed banks and card issuers to maintain heightened vigilance over activities of cards that may be at risk. Customers will be contacted if any suspicious activity is detected through the monitoring activities of their banks or card issuers.
BNM would like to reassure members of the public that Malaysia’s banking and payment systems remain safe and secure. Under existing payment card rules, customers will not be liable for any fraudulent or unauthorised transactions, as long as customers have taken reasonable precautions to safeguard their payment cards.
Customers are advised to immediately notify their banks if they observe any irregular or unauthorised card transactions.
From what we gather, this statement didn’t tell us anything about the incident. Who hacked iPay88? How? What happened to the compromised card data? There are many questions remained unanswered.
Recently, BNM also instructed financial institutions to stop using SMS OTP because it is no longer secure and they should adopt other security methods as soon as possible.