Are Malaysian Telcos responsible for the Lowyat data breach? Can we sue them?

It was 19 October 2017. Chances are that this was a normal day for you, scrolling through Facebook, laughing at funny posts or raging at the latest ridiculous thing a politician said. And then you come across this news – Lowyat.net reported that someone tried to sell the personal data of 46.2 million Malaysian mobile phone numbers and 81,309 entries from databases of medical practitioners on their forums. The data was apparently stolen back in 2014 and included sensitive information such as full names, IC numbers, addresses, SIM card information, you name it. Anything you gave your telco, it was there.

What probably happened was that someone who had privileged access to the information stole it. The data is very valuable to some people, like salespeople, hackers, identity thieves, and even for scammers to set up what’s called social engineering to further steal confidential information. Data breaches have been happening over the internet for a while, such as the PlayStation Network data breach. If you're keen to know, this link about data breaches of the past might be of interest.

So did our telcos sell our private information? No, apparently it was stolen by a bunch of employees from a currently unnamed company. According to The Malay Mail, the authorities are still investigating and have traced a few individuals as the culprits.

“It’s most likely the work of several staff who took advantage of their access to such sensitive information and we believe the company itself is not involved in the crime… We believe the information was stolen while the data transfer process was being performed.” - Communications and Multimedia Minister, Datuk Seri Salleh Said Keruak - as quoted by The Malay Mail (print version 17 November 2017, page 3), emphasis added by ASKLEGAL

But the data was under their care! They should be responsible!

At this point, so much information has been stolen that a lot of us are wondering whether we need to change our phone number, or even our IC number and address! (hopefully not our face as well) Lowyat.net has clarified that the information is not enough to clone our SIM cards, but the larger concern is that our IC numbers tell people a lot of information about us – our exact date of birth, the state we were born in, as well as our gender.

We're made easy pickings for marketers who want to target certain groups of people, which is more of an annoyance than security concern. But Lowyat.net also pointed out that a lot of institutions still use our date of birth as a security question. Some banks also ask for our IC number for verification, so… yeah.

We are still waiting on the investigation and what measures will be taken by the government 

This is as of 22 November 2017, which is a taking a long time for reasons Lowyat.net explains here.

A lot of us might be thinking: Aren't our telcos responsible for guarding the data?

Yes, they are.

But whether we can sue them for it depends on the outcome of the investigation. AskLegal interviewed Ian Liew, Associate at Donovan & Ho to find out how Malaysian data protection laws work, and whether the companies involved in the breach will be held responsible.

According to him, the Personal Data Protection Act 2010 (PDPA) requires companies to meet a Security Standard in protecting our personal data. While the telco will get into trouble if they don’t fulfill the security requirement, the other side is that the company is not responsible if data thieves still get their hands on your data through an elaborate scheme. (we'll get to the details below)

[READ MORE - You can use the PDPA to stop telemarketers too]

Companies that collect personal data must protect it as well

Ian explains that the PDPA binds companies that collect our personal data to comply with 7 major principles and practical standards to protect the data.

The key principle we're looking at is the Security Principle (Section 9 of the PDPA). It basically binds companies to protect your data from being misused or disclosed without authorization. Companies that abuse your personal data or fail to guard it can be heavily fined (up to RM300,000) and the people responsible can be jailed up to 2 years under Section 5(2) of the PDPA.

It doesn’t end there, because Section 9(2) further states that the company must guarantee that they provide sufficient security to protect your data from hackers as well as from their own employees. This can include technological security measures as well as checks to make sure the staff who have access to the data are competent and trustworthy.

Section 9(2) - Personal Data Protection Act 2010

Where processing of personal data is carried out by a data processor on behalf of the data user, the data user shall, for the purpose of protecting the personal data from any loss, misuse, modification, unauthorized or accidental access or disclosure, alteration or destruction, ensure that the data processor—

(a) provides sufficient guarantees in respect of the technical and organizational security measures governing the processing to be carried out; and

(b) takes reasonable steps to ensure compliance with those measures.

The Security Principle also says that the extent of security needed depends on how sensitive the data is. For example, your credit card information need to be more secure than your IC number, which also needs to be more secure than just your name.

The Security Standard binds the company's third party contractors as well

A lot of companies engage third parties to outsource or smoothen their operations, which tends to involve exchanging our personal data with them. You might remember a tick box when filling forms giving the company permission to share your information with their marketing partners or another similar company.

Ian explains that these third parties must also fulfill the security requirement, failing which the company and the third parties could both be held liable.

To fulfill the responsibility given under Rule 6 of the Personal Data Protection Regulations 2013, companies need to develop and implement a security policy for both their employees and third parties to follow. This security policy must comply with the Security Standard in the Personal Data Protection Standard 2015, which outlines some measures that must be taken like:

1. Registering and regulating all employees with access to personal data

2. Limiting entry into data storage sites

3. Protecting their computer systems from malware attacks or unauthorized access

You can find out more about the standards at the Department of Personal Data Protection's website. Ian tells us that they are very easy to read and understand. (not like AskLegal, right?)

So in the end, can sue or not??

Jokes aside, as we briefly mentioned earlier, we still need to know what the authorities find from the investigation. Ian says it depends on the following factors:

"If someone is contracted to handle the data, the company must get a guarantee from the employee or contractor that they will implement security measures and make sure that they are complied with. As long as the company has done so, they should not be held responsible.

But if a third party gained unauthorized access to the data, the company must prove that they complied with the Security Principle mentioned above, and still couldn't stop the third party. If they can't prove this, the company will be responsible." – Ian Liew in e-mail interview with ASKLEGAL

Basically, we need to find out what really happened before we know whether we can file a negligence suit against the companies involved. There's a legal doctrine called res ipsa loquitor that basically says if the telcos were under control of our personal data, the very fact that our data was exposed could raise an assumption that they negligent (and the telcos will have to prove that they were not).

Further, abusing personal data and non-compliance with the Security Standards is a criminal offence punishable with 2 years of prison and/or a fine of up to RM300,000. So if the data breach has resulted in some weird records popping up under your name, you should report the incident to the Department of Personal Data Protection over here. 

Here’s what Ian had to say about some further precautions you can take.

“You can suspend or terminate any affected accounts with your telco provider. Look out for unexplained activities on your number by checking your telco statement, like suspicious text messages or phone calls being made or received.

If there are any suspicious activities, alert your telco provider and consider getting a replacement SIM card or number.” - Ian Liew, in e-mail interview with ASKLEGAL

How do you know if your data has been exposed?

Tech blogger Keith Rozario had put up a site called SayaKenaHack.com for Malaysians to check if they have been compromised. But it has since been blocked by the Malaysian Communications and Multimedia Commission because it could further compromise Malaysians. According to Lowyat.net founder Vijandren Ramadass, the site could be abused because the entire database of leaked info is available on it.

“While MCMC has not confirmed nor denied the block, the sheer amount of information on the side could subject it to abuse. Rozario is a good guy, who set up the site for a noble purpose, but that does not stop unscrupulous individuals from abusing the data,” - Vijandren as quoted by The Malaysian Insight

In any case, the data breach is so big that considering Malaysia's population is only 31.7 million, the 46.2 million users affected probably includes you. Here are some precautions you can take to stay safe when data breaches happen:

This one doesn’t apply to the data that was sold on the Lowyat forums, but there have been other breaches in the past where the passwords of millions of accounts were pasted on the Internet. If you have been compromised before, it’s best to change your passwords and make sure you don’t use the same password for multiple services. 

Here’s a website you can use to check whether your email has been compromised before.

The guys at Lowyat.net are urging telco companies to replace the SIM cards of all affected customers, especially for those of us who haven’t changed our SIM cards since 2014. Take the initiative to secure yourself and don’t wait around for your telco to contact you.

The exposed information can be used by scammers to trick you into trusting them. Here’s an example: you might get a call from your “bank” asking for something and giving you details like your phone number and address to make you think that they’re really your bank.

Never reveal your personal details or sensitive information through phone calls. Scammers have ways to spoof their number to look like they are your bank, “Bank Negara”, or even.. the “PDRM”. Be wary of suspicious communications you didn’t initiate and take note that the authorities and your bank will never ever ask for sensitive information like your PIN and TAC codes, or ask you to transfer money to another account for some reason… Immediately end the call and contact the real authorities’ official number to verify the situation.

The scammers are usually very elaborate and use psychological tricks to trip you up. They take advantage of the fact that you’re probably thinking that it won’t happen to you - until it does. You can read about the infamous “Macau scam” that we’ve covered before to see how the scam plays out.