KUALA LUMPUR, Dec 15 — Adoption of the National Digital Identity (MyDigital ID) to be introduced next year will be hampered unless the government can convince Malaysians about its safety, cybersecurity experts said after the Social Security Organisation (Socso) became the latest government entity to be compromised.
Novem CS chief executive officer Murugason R. Thangaratnam told Malay Mail that while no system could be completely impervious to all attacks, it was important to ensure that as few vulnerabilities as possible exist.
He also said it was essential to perform rigorous vulnerability testing to ensure that any weaknesses that exist were found by the right people.
“It could be discovered by the system’s creators or by a malicious third party. If it is the latter, the data of millions of users would be at the mercy of a hacker, who could be looking for a significant payday,” he said.
The government is planning to finally introduce the MyDigital ID next year, after allocating an additional RM80 million earlier this year to expedite its implementation.
Although it will not replace the Malaysian Identity Card (MyKad) that is compulsory for all citizens, it will replicate several of its functions — primarily identity verification — for digital services and transactions, particularly those involving the government.
Murugason said that this would make MyDigital ID an attractive target for cybercriminals and hackers who will seek to exploit it for identity theft and impersonation.
While he said there must robust security protocols to protect MyDigital ID against misuse and allay Malaysians’ concerns, he also suggested that there would be an added hurdle of convincing them to risk their personal data online by being an early adopter in the scheme.
“Over the years, consumers have grown sceptical about effective interoperability between systems, providers, governments, and applications.
“So, in addition to general security concerns, there is a level of distrust that a single ID will work,” he added.
Murugason concluded that progress in both areas would be hard-fought until the government makes itself more accountable for securing Malaysians’ private data and responsible for occasions when this will be leaked.
According to Global Centre for Cybersafety director Datuk Husin Jazri, the most important thing government agencies can do to keep personal information safe is to appoint an independent and professional third party to regulate a strict security audit process.
“An example of good digital ID implementation is Estonia, where the digital ID implementation is accompanied by legal and regulatory provisions to protect its integrity and maintaining high trust levels,” he said.
He said it is important for the government to ensure that the digital ID ecosystem is handled by professionals with checks and balances on conflicts of interests.
While the process of implementing the digital ID system is maturing, transparency must be made a priority, he added.
“In summary, implementing digital ID technology is not the hardest part, the hardest part is to be transparent in all the processes to ensure conflict of interest can be avoided and trust management is given the utmost priority!” he said.
The newly formed Digital Ministry headed by DAP’s Gobind Singh Deo will now be managing the Department of Personal Data Protection (PDPD).
On December 8, news emerged that Socso suffered an intrusion resulting the loss of contributors’ private information including their full name, MyKad number, race, gender, blood type, address, phone number, email address, salary, employer code, business name and emergency contact.
Just days later, technology news site SoyaCincau reported a vulnerability with the Inland Revenue Board’s (IRB) payment portals that could be exploited to display taxpayers’ full name, IC number, address, email, and phone number.
Other agencies that have previously suffered data breaches in recent years include the National Registration Department, the Election Commission, and the Health Ministry through MySejahtera.
The data breaches were also occurring against a backdrop of a cybercrime epidemic in Malaysia that has, according to the Royal Malaysia Police, cost Malaysians nearly RM2 billion in losses to scams and fraud.