The Consumers’ Association of Penang (CAP) is concerned about the news last week that the technology portal, lowyat.net, had discovered another personal data breach and that a total of 60,000 records from the pay TV operator Astro were up for grabs at RM4,500.00 per 10,000 records on its site.
Disturbingly, lowyat.net also stated that they had first discovered the data breach in January 2018 and that they had alerted Astro, and yet here we are.
Quick to defend itself, Astro claimed that they had handled the matter in January together with the authorities and did not see the need to inform their customer of a “non-issue”.
The company also stated that the personal data that was stolen was ONLY from its IPTV subscribers that were provided by the telco Maxis.
There are two major issues here that need to be addressed by the authorities immediately.
The first being the fact that these major personal data breaches just keep happening. In October last year there was a major data breach involving 46.2 million mobile phone numbers and their owner’s personal details and now it would seem we are not even safe subscribing for a TV service. For a country that is striving to be more “digital” and more “online”, it is easy enough to predict an increase in the number of identity fraud and scam victims with the current state of our cyber security. There is an urgent need to invest in better hardware and software as well as talent in this field at both the national and company level. We are looking at a very bleak future if the authorities and companies alike do not buck up on the cyber security front.
Secondly, companies need to understand that the personal data records that they keep do not belong to them. They are simply holding on to their customers’ information.
If those personal data records get stolen because of the companies’ carelessness or negligence stemming from a poor cyber security system it is their duty to inform the owners of the stolen personal data about what has happened. And if they are irresponsible and lack the necessary sense of accountability to do so then they should be penalised.
In short, we ask that the authorities do mandatory checks to ensure that companies have sufficient cyber security measures in place to combat the latest hacking methods; and that they take action against companies that deceive their customers by keeping silent when a personal data breach incident happens.
Press Statement, 11 June 2018