Personal Data in the Wrong Hand: Are we safe?

Photo credit: The Star Online

By Amni Ahmad

Hello, I’m XXX bank officer, you have withdrawn money from your account with the amount of RM10,000. If you did not perform this transaction, please call 03-8888XXXX .”

“Miss, your bank account will be frozen because we have identified that the account was linked to the drug trafficking syndicate, you need to contact this number 03-555XXX to clarify on this issue. You need to transfer RM30,000 to this account (XXXXXX) because your account would get frozen by the authorities. Can we get your account number and Identification Number to check?”

Have you ever received this kind of call? How can they contact you and know about your personal details?

Yes, your data has leaked.

Recently, Malaysian were shocked with the news of the biggest data breaches in the Malaysia history which includes the personal details of 46.2 million mobile number subscribers and 81,309 records from the Malaysian Medical Council, Malaysian Medical Association (MMA) and Malaysian Dental Association. This issue was first reported on online forum and news site lowyat.net. Based on the report in lowyat.net, the personal data that was leaked belonged to various organisations which are Jobstreet.com, the Malaysian Medical Council, the Malaysian Medical Association, Academy of Medicine Malaysia, the Malaysian Housing Loan Applications, the Malaysian Dental Association and the National Specialist Register of Malaysia and Malaysian Telcos (Altel, Celcom, DiGi, Enabling Asia, Friendimobile, Maxis, MerchantTradeAsia, PLDT, RedTone, TuneTalk, Umobile and XOX).

Lowyat.net reported that the biggest number of data leaked was from the Malaysian Telcos that include over 50 million records. The data includes customer names, billing addresses, mobile numbers, sim card numbers, IMSI (international mobile subscriber identity) numbers, handset models as well as Identification Card (IC) numbers of customers. Just imagined that our Identification Card number and mobile numbers are being exposed out there without our permission. IC number carrying a lot of our details. From the IC number, people can identify our birth year, birth month, birth date, place of birth and gender. With all this information, irresponsible people can easily use it for illegal conduct.

(Photo credit: Lowyat.net)

After lowyet.net reported about this issue, Malaysian Communications and Multimedia Commission (MCMC) has requested them to remove the article. However, on 20th October, MCMC has issued the statement and approved them to restore the original article. Currently, this case is still under investigation by the collaboration of MCMC and police. People are urged to not make any speculations and disseminate wrong information. Let the responsible authority completed the investigation and may justice prevail.  

Due to this data leakage, people are now are more exposed to the social engineering attacks which are phone and messaging scammers. Malaysian will experienced an increasing amount of getting weird calls and spam messages. Besides that, the more serious consequences is that the phones may be cloned and the culprits might impersonate someone else to apply for a credit card, especially when it involves aggressive agents who will proceed with the application without much verification. Data leakage is not a new thing, getting the call from property agents and loan sharks are something that most of the people have experienced. However, many of us do not realised and taking it lightly. Due to the economic pressure, many people falls into the trap and becomes the victim of such scammer. Thus, people should stay alarmed and prepared of any other consequences.

It is time for us to know our right regarding personal data. Personal Data Protection Act 2010 is a law that protect individual’s personal data in commercial transactions. According to Section 130 of Personal Data Protection Act 2010, there are seven personal data protection principles which are:

  1. The General Principle – A data user is not allowed to process personal data belonging to someone else without permission.
  2. The Principle of Notice and Choice – Information and destination of data must be notified to owner of personal data.
  3. The Disclosure Principle – The purposes of the use of personal data must be disclosed.
  4. The Principle of Safety – When processing data of any subject, steps must be taken to keep the data safe, non-modified, misused or given to non-concerned parties.
  5. The Principle of Retention – The personal data shall not be kept beyond the time limit required.
  6. The Principle of Data Integrity – Any personal data must be ascertained to be accurate, complete, not misleading and meets the intent of being stored and processed.
  7. The Principle of Access – A person shall be entitled to access personal data held by a data user, and can also correct and update it.

Based on this principle, it showed that the personal data should not be misused and need to be protected.

As a user, you should know your right regarding your personal details that being given to an individual or organisations for commercial transactions. Even if we go the certain offices, and the guards asked for our personal details, we have the right to not disclose our full information to them.

Know you right

  1. The right to know the reason for processing the data
  2. The right to access the personal data if necessary
  3. The right to correct processed personal data
  4. The right to revoke permission to process the personal data if the owner feels it is no longer relevant
  5. The right to halt processing of personal data if the owner feels it could cause distress
  6. The right to halt processing of personal data for direct marketing
  7. The right to refuse computer-generated results on personal data
  8. The right to reject direct marketing calls or email

What should you do if you received such call?

There are five guidelines that you need to do if you received call from scammer. These guidelines was provided by Federal Police Corporate Communications Chief, Datuk Asmawati Ahmad as reported in New Straits Times.

  1. Be alert and cautious when receiving calls from unknown numbers
  2. Do not panic and blindly follow instructions given by the caller without first calling police or financial institutions to check
  3. Do not return calls. Instead, get the official number of companies, organisations or institutions that purportedly made the contact
  4. Do not expose bank account numbers, automated teller machine card numbers or credit card details
  5. Check on the BNM website for latest updates on financial fraud

(Photo credit: Lowyat.net)

 

References

Khairul, A. M., Asyraf, F., Pei Ying, T., & Mior, A. (2017, November 12). Retrieved from https://www.nst.com.my/news/exclusive/2017/11/302183/dont-fall-these-scams-and-anything-promising-returns-10pc-or-more

Personal Data Protection Act 2010. (n.d.). Retrieved from www.kkmm.gov.my/pdf/Personal Data Protection Act 2010.pdf

Shahrudin, H. S. (2017, November 18). Retrieved from https://www.nst.com.my/news/crime-courts/2017/11/304546/data-leaked-traced-ip-site-oman

Vijandren. (2017, October 19). Retrieved from https://www.lowyat.net/2017/145654/personal-data-millions-malaysians-sale-source-breach-still-unknown/

Vijandren. (2017, November). Retrieved from https://www.lowyat.net/2017/148361/data-breach-fallout-time-review-malaysian-mykad-number/

 

Leave a Reply

Your email address will not be published.