Leaked data – what now?

I WROTE about data privacy in July, and now it seems that my concerns have been proven true. I wrote that I was called by a bogus research institute for a poll.

And nobody, not even the telco, wanted to take responsibility on how my phone number ended up in the hands of a pollster.

Last week, news came out that the private data of millions of Malaysians was being auctioned.

Lowyat.net reported that personal data, including 50 million entries from various telcos were being sold online. It said the data included names of customers, billing addresses, phone numbers, SIM card numbers and MyKad numbers.

Oddly, the Malaysian Communications and Multimedia Commission (MCMC) decided initially that it was better to censor the news and asked the site to take the news down as a "preventive measure", and later issued a statement that its officers were working with the police on the matter.

What is even more disturbing is that this breach was said to have happened between 2012 and 2015, two to five years ago.

If the MCMC and police investigation is proven true, then perhaps I would have to talk to my telco again regarding my complaint of a data breach. They had initially denied that any such event had happened when I referred the case to the Personal Data Protection Department (PDPD).

There is a need to take data privacy and security more seriously, especially now that we have been informed that some 50 million lines owned by 30 million Malaysians (and many foreigners) have been leaked and sold online.

At the same time, how is it that the MCMC, the police, and even the PDPD did not inform Malaysians of a data breach that might have happened between two and five years ago?

How is it that not a single telco had come out to warn its customers that their data had been stolen? Why was everything kept under wraps?

In my case, my data somehow made it into the hands of a pollster, but other customers may have faced worse. Their data may have ended in the hands of scammers, blackmailers, heck, even those spammers who keep texting about properties for sale, online gambling and even loans.

The government needs to explain the severity of the breach, and how it plans to prevent it from happening again. At the same time, companies that have remained mum on this issue need to explain how they just kept quiet while their customers were left wondering how strangers got their number.

Till then, there is a need for the public to be educated to report the leak of their phone numbers and other such data to the PDPD. For far too long, we have believed that these crank calls and text messages were just a coincidence.

Now, we know better – our data was obtained from a leak in the telcos.

And more importantly, will the guilty parties be punished for failing to keep their customers' data private?

Are the MCMC, the police and even the PDPD protecting our telcos rather than the consumers? I believe they should be taking care of the people before corporations.

Perhaps this was done to prevent a panic, and the inability of telcos to issue in a short time enough SIM cards to replace those that have been compromised. However, we are beyond that now.

So, what is the next step? Should we all change our phone numbers and SIM cards to make up for the leak? Must the National Registration Department get involved, since it also involves our MyKad numbers?

The prime minister has announced that there is a concerted plan to switch to a "Cloud-First" strategy to be introduced as a national agenda to boost the digital academy. But first, we need to ensure that a breach does not happen again.

Hafidz Baharom is a public relations practitioner. Comments: letters@thesundaily.com