MITI must explain the PIKAS data “leak” on its website and the steps that it is taking to safeguard the security of other data including the CIMS 3.0 database
On the 31st of May, in a Linkedin post[1], Ts Dr. Suresh Ramasamy[2], an expert in IT and Cybersecurity, revealed that over 2000 Excel files containing personnel information of company employees (possibly numbering more than 1.7 million based on the number of employees who signed up for the PIKAS vaccination program under their companies[3]) could be downloaded directly from the MITI website[4]. This news has since been reported by CodeBlue[5] and SoyaCincau[6].
Screenshot of files that were previously accessible on the PIKAS MITI website
MITI must come out with a statement to explain to the public as to why this data breach took place. MITI should also reach out to the companies whose employee data was listed in the Excel files that were publicly accessible so that the employees at these companies can be on alert if their personal data is being used by others.
This is not the first time that Dr Suresh has revealed some of the shortcomings of the MITI website. He had previously commented[7] on some of the weaknesses of MITI’s CIMS (COVID19 Intelligent Management System) that was used by companies to obtain a letter of approval from MITI in order to continue to operate during the various Movement Control Orders (MCO).
Screenshot of the CIMS 3.0 login page
MITI must clarify on whether the IT security flaw was due to an error made by the IT department at the Malaysia Automotive, Robotics and IoT Institute (MARii)[8], an agency under MITI, which is in charge of developing and maintaining the CIMS including the latest CIMS 3.0 version.[9] MITI must also explain on whether these IT breaches, possibly involving MARii, is due to the lack of leadership at this agency, especially after the removal of its CEO, Datuk Madani Sahari, who was arrested and remanded by the Malaysian Anti-Corruption Commission (MACC), along with 8 others, in March 2022, over a project worth RM85 million.[10]
As one of the frontline ministries in dealing with industries and companies, many of which operate at the international level, MITI must be fully transparent and present a full public explanation on this data breach so that it can continue to command the confidence of its stakeholders.
[1] https://www.linkedin.com/pulse/exposed-millions-malaysian-personal-data-govt-site-ts-dr-suresh/
[2] https://www.linkedin.com/in/sureshramasamy/
[3] https://www.mida.gov.my/mida-news/17053-companies-have-registered-under-pikas/
[4] https://pikas.miti.gov.my/ (No longer accessible to the public)
[7] https://www.linkedin.com/pulse/case-study-mitis-cims-ramasamy-cissp-cism-gcti-gnfa-gcda-cipm/