MALAYSIANS, being great adopters of technology, are used to data breaches and having their details used for things they weren't intended for.
Buy just one thing online, and suddenly the world and their grandmother is knocking on one's online door, clamouring to sell their wares. Getting calls from telemarketers, or scammers claiming to be from the Inland Revenue Board (IRB), is par for the course.
So no one pays attention any more. Until news broke that there had been a massive breach of the National Registration Department's (NRD) MyIdentity centralised database, with possibly even data from the IRB included, and suddenly, perhaps people need to pay more attention to those scam calls after all.
In this latest breach, the personal details of four million Malaysians born between 1979 and 1998 are allegedly up for sale at the fantastic price of less than one sen per identity. In the hands of experienced criminals, the return-on-investment could be millionfold. What a bargain!
So, with such familiarity, why are Malaysians up in arms about this latest breach? Because it comes from a government database — in fact, a centralised database for the 10 government departments most used by the public.
People key in and store their details in MyIdentity because it helps cut through the government red tape of having to fill in forms ad nauseum. But unlike a loyalty card or e-payment platform, people don't have a choice not to share their information with the government.
So, when they do, they expect their data to be kept confidential. What is even more concerning is that this breach allegedly happened some months ago and was spotted by intrusion analysts, but the matter only came to light when one analyst decided to blow the whistle on social media, after attempts to inform the relevant party received a tepid response.
And only then was a police report lodged by the relevant party. In the months prior to the breach being made public, did the NRD know that someone had dipped into the database and helped themselves to fistfuls of information?
Whether it was hacked or an inside job, why was a police report not made earlier? And, have the four million people whose information was stolen been informed of it?
The intrusion analyst claims that this is not the first time that data from the NRD has been put up for sale. And scarily, a casual scroll through the Twitter accounts of such analysts allegedly reveals even more breaches at other government agencies and departments. What are these organisations doing to detect such leaks for themselves?
With 87.1 per cent of government services provided online, and 87.4 per cent of the population being Internet users, the government's plan is to mainstream digitalisation for inclusive development.
As part of the 12th Malaysia Plan, the government intends to introduce a national digital identification platform, whereby every user's "secure and trusted electronic credentials" (facial and biometric data) will be stored, so that access to government sites no longer need multiple passwords.
But, what's the point of "trusted and secure credentials" if no one is guarding the back door? Malaysia aspires to position itself as Asean's regional digital centre. But to achieve that, it must first secure public confidence that it is on top of its game to keep data safe.