KUALA LUMPUR: Alarm bells have been sounded following an all-time high of data breach cases, with Malaysia recording an average of 15 such cases a week this year.
Up to June, the Personal Data Protection Department (PDPD) had received 130 cases, the majority of them comprising ransomware attacks.
This marked a startling fourfold increase from last year, when only 30 such cases were recorded for the whole year.
This has also sparked concerns over related cybercrimes and phone scams, which lead to millions of ringgit in losses annually.
PDPD director-general Professor Dr Mohd Nazri Kama told NST Focus that the pattern had been steadily increasing since 2016.
He said at least five cases each week involved personal data breaches.
Personal data refers to a collection of data that can be used to identify an individual, such as Mykad and banking details, while non-personal data does not possess the ability to disclose a person's identity.
Nazri said the rising number of cases could be attributed to various factors, with ransomware emerging as the prevailing form of cyberattacks.
In such cases, criminals would take a person's data and threaten to expose or sell them unless they are paid.
While declining to specify how such data breaches could occur and who the guilty parties usually were, he said contributing factors included the use of old, unpatched security vulnerable to exploitation.
He also noted that human factors were to blame, such as accidental disclosure of sensitive information, weak passwords, phishing attacks, insider misuse and physical theft on data-carrying devices.
"Some Malaysians are generous with their data. They would simply give their data to anyone.
"A simple example is when they go to a supermarket and people (marketers) ask for their identification card for membership registration or simple gifts and benefits.
"Shoppers would give it without thinking about how these organisations would handle their data," he said.
Such data can be used in a variety of ways.
Companies which buy them can use them to tailor their offerings to the consumer in question and personalise products to better appeal to that consumer.
A more nefarious use, however, would see criminals using personal data gleaned — such as how much money is in one's account as well as family details — to scam their victim in a convincing manner.
Nazri said the department faced a huge challenge in identifying where such data breaches came from.
"For example, criminals would erase the data from the server they hacked into, thus ending the trail which would have led back to them."
On companies using such data, he said from 2016 to this year, only 15 of those had been compounded, and five others were fined for such offences.
The small number of prosecutions, he noted, was due to technical difficulties in gathering evidence for such cases.
Nazri said one way consumers could reduce the risk of having their data abused or stolen was by only releasing their data to companies with the PDPD registration certificate.
The certification, he said, was issued to companies which comply with the Personal Data Protection Act 2010 (PDPA), which seeks to protect users' personal data relating to commercial transactions.
In February, the NST had reported how Malaysians' personal data were actively being sold on the dark web, with at least one posting from those with the information appearing every two days.
The Federal Commercial Crime Investigation Department had revealed that cybercrime cases nearly doubled from 10,753 in 2018 to 19,175 last year.
Earlier this year, Communications and Digital Minister Fahmi Fadzil announced that the PDPA would be amended to increase the fines or penalties and to incorporate mandatory data breach notification by data users and data processors in the act.