PERKESO, Malaysia’s social security organisation (SOCSO) has issued a statement confirming a cyber attack on its systems, database and website since last Saturday (2nd December 2023). It assured that these planned attacks by the hackers will not affect its ability to provide its services to SOCSO contributors, employers and the public.
To recap, a hacker group had posted a forum thread alleging that PERKESO’s systems had been compromised. The group also shared sample data containing personal information including full names, IC number, phone number, salaries, business name and blood type. To make matters worse, they also shared a recording of PERKESO’s video meeting on the data breach, which has since been taken down from YouTube.
PERKESO says ICT team was successful in regaining control
The statement said that PERKESO had activated a crisis management plan once the cyberattack was confirmed on the same day, and they mobilised the Information and communications technology (ICT) team to restore its systems. It explained that the cyberattackers’ early modus operandi was to paralyse PERKESO’s infrastructure that handles daily operations.
After PERKESO’s ICT team was successful in regaining control, it claimed that the hackers had switched tactics by launching character assassination attacks towards the organisation.
PERKESO said all interest payments, compensation and disability pensions to contributors will be carried out based on the allocated duration.
PERKESO: Questionable data shared by hackers
Focusing on the supposed breached data, PERKESO said early observations revealed that the supposed sample data was questionable, incomplete and not valid. It explained that a cluster of stolen data had never been recorded by PERKESO since its establishment in October 1971.
The organisation admitted that this isn’t the first time it had a cyberattack as they faced a series of breaches previously. It said the last incident took place in September which was contained successfully. It said the actions of irresponsible hackers are a targeted attack towards the country’s interest and they have shared the forensic details with the authorities to ensure that it doesn’t happen to other government agencies.
There have been several high-profile data breaches involving government apps, departments and agencies in the past few years. This includes MySejahtera where over 3 million records have been obtained as well as databases allegedly leaked from the National Registration Department and the Election Commission. These data breaches are a major security concern as personal information can be misused for fake registration, scams and phishing attacks. Once the data is out, the damage is irreversible.
Legal experts have called upon the government to amend the Personal Data Protection Act (PDPA) to hold government agencies accountable for data breaches. At the moment, the PDPA in its current form only covers commercial entities and transactions, exempting both federal and state governments from its rules and principles, including those requiring data users to properly secure personal information provided to them.