MySejahtera Data Breach: 3 Million Personal Data Downloads Without Authorization
A recent Auditor General Report has revealed that personal data of over 3 million users on the MySejahtera app were taken without authorization.
MySejahtera Unauthorized Access
A recent report by the Auditor General Report 2021 Series 2, released on 6th January 2023, revealed that personal data from three million MySejahtera users had been downloaded without authorization back in 2021. The unauthorised download was made by a single MyVAS Admin account with Super Admin access, which was approved by the Ministry of Health (MoH).
Although MySejahtera has a total of 882 administrator accounts, only 56 of them were MyVAS Admin accounts, and all 56 users have been individually identified by the MoH. Curiously, the report noted that the misused Super Admin account was created with the approval of the MoH in the first place.
The account responsible for the unauthorized download performed the action through the Vaccine Admin section of the MySejahtera platform. This section of the platform is where administrators can download and upload vaccination appointments, records, and exclusions from or to the platform’s database. Administrators can also update and delete vaccination records via this section as well.
Picture credits: National Audit Department
The report indicated that data was siphoned from the platform from 28th to 31st October 2021, over five different IP addresses, according to an e-mail that was sent by KPISoft to the National Security Council (MKN) on 2nd November 2021. However, the National Audit Department could not determine the exact data fields that were downloaded by the account. After the account was blocked, the National Cyber Security Agency (NACSA) was informed of the incident before a police report was made on 5th November 2021. However, this incident is still under police investigation.
It should be noted that two sale listings were found on a well-known database marketplace forum claiming to have data that was sourced from MySejahtera. One was listed in October 2022 and claimed to contain around 700,000 lines, while the other was put up in January 2023 and featured the raw MySejahtera data with around 12.8 million rows, as well as a separate database that was cross-referenced with the electoral roll from the Election Commission (SPR).
The MySejahtera data listings were sold for USD $250 (RM1,101) and USD $4,800 (RM21,140), respectively. It is unclear whether these listings were related to the unauthorized download made by the Super Admin account.
It has been over a year since the incident was reported to the police, and it remains unclear whether the authorities can pinpoint the perpetrator. The MySejahtera data breach highlights the importance of securing personal data and implementing stricter data protection regulations. It also reminds us to be cautious about our personal information and where it is stored.
Pokdepinion: Seeing this happen is one thing, but having it happen over two years ago is a bit alarming. Why wasn’t it disclosed earlier? There’s definitely something odd about this case.
