Personal data: A potential gold mine for hackers, say experts

KUALA LUMPUR: Beware. Today’s hackers are after five personal data that you use for your password – full name, identity card number, handphone number, home address and email address.

President of the Malaysia Cyber Consumer Association (MCCA) Siraj Jalil said most users create their security password based on the information as they are easy to remember.

But these easy-to-remember passwords make it easier for hackers to crack, allowing them to conduct exploitation activities especially those involving accounts with banking institutions.

“This is just human psychology…Simple passwords based on our own background are easy to remember and that the choice of convenience plays a key role in password creation.

“For example, the last four digits of the IC are ‘0000’ with the same digits used for the email address…the chances are high for the user to use similar digits for other passwords.

“For some people, it is not uncommon to provide this data as general information but they must not let their guard down as the consequences of using personal information as your passwords, could be quite severe,” he told Bernama recently, adding that there were several cases of cyber attacks on user accounts especially involving financial institutions when hackers could easily break into users’ accounts based on the five personal data.

Hacking user accounts

Siraj said today’s users are more exposed to cyber crime threats, noting that every piece of information including online financial transactions are susceptible to risks.

According to local media reports last March, staggering losses of RM2.23 billion were recorded within five years from 2017 to June 2021 due to cyber crime in the country.

Studies revealed in the book on ‘Jenayah Siber di Malaysia: Impak Leluasa Internet’ (Cyber Crimes in Malaysia: Pervasive Impact of the Internet), published by the Institute of Public Security of Malaysia (IPSOM) showed that almost 70% of commercial crime cases are now categorised as cyber crime.

On Aug 11, Bernama reported that Malaysia recorded over 20,000 cyber crime cases last year with losses amounting to RM560mil.

The cases recorded included cyber bullying, falsification, hacking, phishing and email scams which are increasing each year.

“There are two ways of looking at data leakage namely data privacy and data sovereignty.

“Data privacy may be difficult to determine but users can empower data sovereignty, meaning that they know their data is used and for what purpose. That is what we are striving for to ensure the overall security of users’ data is safeguarded,” he said.

Blockchain technology

Touching on basic data storage technology, Siraj said it is kept in the server and controlled by the intermediary.

He said cyber crime takes place when the party responsible for safeguarding the data from intrusion fails to protect the system from hackers who are one step ahead and can break through cyber security defences, noting that integrity and ethical issues are also related to cyber security of an organisation.

If the protector fails to protect the cyber security data, hackers can easily break into the system server and steal the data, and worse still, they are able to make changes to the data.

“To address data leakage issues and protect data from alterations by hackers, blockchain technology can be applied by the cyber security industry.

“Blockchain technology, often linked to Bitcoin, refers to decentralised data technology, which differs from centralised data as every transaction process requires prior confirmation from the community (user’s account).

‘With blockchain technology, we can access and trace the transaction conducted from the beginning, besides data transaction such as digital address of the sender and recipient, transaction date and total transactions that are accessible and traceable. Data stored in the block cannot be altered or updated,” he said, adding that blockchain resides in the public network without control from any authority and hence embraces the data transparency principle.

However, Siraj said there are hurdles to using the technology in a holistic manner, among others high costs, which party is responsible for governing the blockchain technology and the willingness to change from the conventional data storage method.

“Without a doubt, there are many obstacles to change although it has proven to protect users’ data from cyber crime, hence, almost all organisations still use data storage servers such as Cloud, Google Cloud, Web Services or Alibaba Cloud.

“Almost all big corporations will have a centralised data centre in the country and will store their data there. However, once the data is kept at the owner’s data storage centre, is there a guarantee that the party that stores and protects the data would not misuse the data?”

“There exists the issue of integrity involving trust towards the party that is holding the data. There are too many issues related to stolen or leaked data which goes to show that it is too easy to get hold of them,” he said, adding that the high demand for certain data has led the dark web market to flourish.

Commenting on recent newsreports, quoting a statement from a group of hackers identifying themselves as the “grey hat cybersecurity organisation” who claimed that they could break into the Malaysian civil servants’ ePenyata Gaji (ePaySlip) system, he said intelligent scam activities allowed hackers to gain various data of users including their financial status and subsequently access their accounts.

In an email to the media, the group claimed they could extract nearly two million payslips and tax forms of civil servants.

Beware of actions

Meanwhile, Head of Data Protection, Digi Telecommunications Sdn Bhd Kulani Geeta Kulasingam said users should be cautious when using the internet to protect their personal information.

She also suggested that users create a password with unique identification and be cautious of suspicious phone calls and at the same time understand the basic requirements in the cyber space.

“Users should not indiscriminately download files as they are feared to contain Malware (software that is intentionally designed to cause damage to a computer, server, client or computer network) that can track all their data.

“Be extra cautious when using the social media especially when uploading any information that exposes our own identity. For example, other individuals can use the information that we shared such as home address, workplace, school location, etc, for fraudulent gain, ” she said adding that the best way to use the social media is to keep personal information limited to a list of trusted friends.

She also urged users to immediately contact the financial institution involved or change their password that is almost similar with other accounts, if they are suspected to have been leaked.

“This is one way of avoiding identity fraud in the cyber space and users can activate their password through the 2FA or Two Factor Authentication as a security measure. (Through the 2FA, once the user has keyed-in his password, a security code will be sent to his phone number or email).

“Today, members of the public are more cyber-literate on issues related to personal data and we will continue with our efforts to educate the people on data safety. Users should be exposed to safe behaviours when they are in the cyber space, hence reducing the risks of falling prey to cyber intrusion,” she added.

Digital communication illiteracy

Sharing his thoughts on the issue, Senior Lecturer at the School of Multimedia Technology and Communication and Head of Advanced Communication Research Unit (ACRU), Universiti Utara Malaysia (UUM) Dr Mohd Khairie Ahmad said digital communication illiteracy can trigger the data leakage phenomenon.

He said the level of public cyber security awareness and understanding is lower compared to its usage, which is very high at 98.9 per cent of the population aged 16 to 64 years old who use the smart phone while 89.6 per cent of Malaysians have access to the internet.

“The imbalance between the level of usage and the level of cyber security practices is among the key sources of data leakage. We know how to use (technology) but are not smart in managing digital communication matters.

“Our people often take a quick and easy approach in using either devices or online applications but are lacking in risk assessment of their actions. Besides that, the inability to analyse risks or to factor in cyber communication aspects also contributed to the problem,” he added.

According to Mohd Khairie, economy in today’s cyber communication era is information-driven, making various types of data a commodity or a base for the majority of products and services, and a swift medium to acquire data through applications developed by various organisations.

The use of applications, he said has become a culture not only related to business but also involves social activities as well as entertainment for the community.

Many people are still not aware that the phenomenon has exposed them to high risks to cyber threats and security through sharing of various information that are required to activate their application.

“The extreme apps culture and the herd mentality attitude also pose risks for netizens. From other aspects, authorities in digital communication should seek a more effective control and monitoring mechanism.

“As an example, any organisation intending to develop an application must obtain the approval or recognition from the Malaysian Communications and Multimedia Commission (MCMC) or the National Cyber Security Agency (NACSA).

“In fact, the relevant authorities should introduce certification for applications produced in the country. This is to protect the public from the potential risks of an application. We need a ‘fast route’ to protect netizens who may take a longer time to be cyber security-literate,” he explained.

Mental health threats

The higher incidence of data leakage is translated to greater risks of potential losses for the nation.

A total of 12,092 online fraud cases with losses amounting to RM414.8 million were reported from January to July 2022.

Between 2019 to July 2022, a total of 33,147 suspects in cyber fraud cases had been arrested with 22,196 cases charged in court.

“The Malaysia Cyber Security Strategy 2020-2024 publication has cited a 2018 study by Microsoft and Frost & Sullivan which had forecast losses to the national economy (Malaysia) due to cyber threats would reach RM51 billion.

“The business ecosystem will be affected as cautious investors would move elsewhere to protect themselves against cyber crime. The higher losses due to cyber threats to data leakages could potentially increase mental health risks to the community. Those who suffer losses are more likely to suffer from emotional and psychological depression,” he said, adding that the risks of data leakages can have negative spill-over effects on the well-being of the people.

To address the data leakage issue, collaborative efforts are needed from all parties, he said adding that from the legal aspects, the government should review Act 709 or Personal Data Protection Act 2010 to ensure parties collecting and storing digital data in particular, exercise greater accountability.

“From the governance aspect, organisations should embrace the ISO 27001, an international standard that describes best practices for an Information Security Management Systems,” he said adding that the authorities should also take stern action toward any parties for failing to provide a secure and safe cyber ecosystem.

Mohd Khairie also stressed that cyber security-literacy awareness should be enhanced among the public at every age level including those related to cyber consumer practices and rights, and in addition, users should be brave enough to demand that sensitive data are not released through their mobile apps. – Bernama