The Central Database – branded as Padu – is an effort led by the Economics Ministry to bring together information held by various ministries and government agencies into one, allowing the government a clearer picture of its 33.5 million population.
Just hours after the launch, Minister of Economy Rafizi Ramli who spearheaded the project, admitted to a built-in loophole in registering for the public-facing part of the database which may allow for identity theft.
This came after former deputy international trade minister Ong Kian Ming revealed that anyone with knowledge of another person’s identity card (IC) number can register as that person, provided they also know the person’s home postcode.
The account allows the public to declare banking information, income, and dependencies that will give the government a better understanding of the needs of the individual.
Why Singapore’s new AI plan could help Asia’s cybercrime fight
Why Singapore’s new AI plan could help Asia’s cybercrime fight
Rafizi said such registration, although possible, is only recorded in the database once the account holder completes the electronic Know Your Customer (eKYC) process, which requires sending photos of the IC and a selfie of the account holder.
“Until the eKYC process is completed, the registration is pending and invalid,” Rafizi said. Since the launch, over 230,000 people have registered, with 71 per cent having their eKYC verified.
The minister said the loophole was by design, allowing people to access the platform ahead of the eKYC process as it might take some time for them to be verified.
“If it happens that an account is registered by someone else, users can directly go to the help desk – online, call centres or physical counters,” he added.
But the public was not swayed by Rafizi’s assurance, and calls have mounted for the registration process to be suspended pending a proper fix.
“The correct solution is to turn off the system and get the flow right, first. Then only turn it back on for registration,” computer engineer Shawn Tan said on X.
Concern over data security and protection against breaches is high in Malaysia after repeated revelations of hacks and data theft over recent years.
In 2022, the personal data of 22.5 million citizens, ranging from their full names to identification numbers, home addresses, phone numbers and ID photos, were stolen from government servers and sold on the dark web for a reported price of US$10,000.
Malaysian PM’s messaging accounts hacked as officials deny data breach crisis
Malaysian PM’s messaging accounts hacked as officials deny data breach crisis
The data was then made available on the internet, allowing anyone to gain access to everything from names and addresses to voting constituencies and student loans by just keying in a Malaysian IC number.
A cybersecurity report by Surfshark, a virtual private network service provider, ranked Malaysia as the “eighth most breached country” last year, with more than 490,000 leaked accounts.
The report found that data breaches in Malaysia had risen by 144 per cent in the third quarter of 2023, compared with a 76 per cent decline in such incidents globally in the same period.