Previously, we reported that according to the second series of the 2021 audit report released by Auditor-General Datuk Seri Nik Azman Nik Abdul Majid, an unknown individual or group created a “super admin” account that downloaded private information belonging to three million people via the MySejahtera app two years ago. But it turns out that the “super admin” was not unknown and was actually a security measure.
Malay Mail reports that the Deputy Health Minister, Lukanisman Awang Sauni, has rejected claims that there was a breach of data for vaccine recipients registered under the MySejahtera app.
He explained to Parliament that a “super admin” had downloaded the data of three million vaccine recipients as a precautionary measure due to attempted hacking of the app.
He acknowledged that there were 1.12 million attempted attacks on MySejahtera based on the Auditor-General’s report, but he stated that the app was able to prevent any data leakage. Lukanisman did not provide further details on the issue as it is currently under police investigation.
Meanwhile, the Malaysian Bar has called on the government to urgently introduce a Privacy Act to safeguard the data of Malaysians that may be collected by either corporations or the Malaysian or state governments.
The lawyers’ organisation has also requested that the CyberSecurity Malaysia (CSM) report on potential hacks and illegal downloading of user data from the MySejahtera app be made public during the current session of Parliament.
Currently, personal data in Malaysia is regulated by the Personal Data Protection Act 2010 (PDPA), which excludes the Malaysian and state governments from its jurisdiction. The Malaysian Bar emphasized that the PDPA only applies to personal data collected during commercial transactions and not to data collected through the use of the app for public health purposes.
The organisation is therefore urging the government to enact a Privacy Act to safeguard the privacy of data collected by the Malaysian or state governments or any corporation operating under their jurisdiction.
The Malaysian Bar has acknowledged that the Minister of Communications and Digital, Fahmi Fadzil, has instructed Cyber Security Malaysia to investigate the audit findings.
The organisation has called on the government to disclose the details of the Non-Disclosure Agreement (NDA), the events that caused ownership confusion, and the identities of all service providers.
These disclosures should be made during the current Parliament session to facilitate debate on the issues and ensure that the public is reassured about the protection of national security and the privacy of app users.