When Malaysia started rolling out the COVID-19 vaccines to the public, one of the protocols included the Ministry of International Trade and Industry (MITI) asking certain companies in the manufacturing industry to register their employees via the Public-Private COVID-19 Industrial Vaccination Program or PIKAS for short. However, a new report now claims that its website may inadvertently expose the details of more than two thousand Malaysians who have registered with PIKAS.
According to a report by CodeBlue, which in turn obtained information from a Dr. Suresh Ramasamy on LinkedIn, a server for MITI’s PIKAS website at pikas.miti.gov.my apparently had a directory that stored more than two thousand files. These files are apparently the same files that the companies had to upload to the PIKAS website last year when PIKAS started in June 2021. Each file contained details of company personnel, which included their name, IC number , employee ID, age, gender and contact details.
It is quite appalling that all this data is left on the open web and anyone can just access it. At the time of writing, however, the PIKAS website appears to be down and inaccessible. Dr. Suresh claims that there are over a million personal information records available to any bad actor in the PIKAS servers through these Excel files which anyone could have accessed. He also goes on to say that all of the PIKAS programs seemed to rely on this one directory for their information.
As Dr. Suresh mentions in this article, the storage directory was left open along with many others, so it could have been left open intentionally. He notes that there was another directory called logs with files called “laravel”. These refer to laravel logs that were left open because, according to Dr. Suresh, the vendor may have needed access to troubleshoot the system. As to why the Excel files were left out in the open, Dr Suresh says it may have been their IT department that left them open for them to work on remotely or need to. transfer files between servers. The bad actors inside could also have left it open.
Still, we’ll have to wait for MITI to issue a statement to get a better idea of what happened, especially since the PIKAS website is now down. In the meantime, CyberSecurity Malaysia already appeared to be aware of this potential data leak, with CodeBlue noting that they had told Dr Suresh that they had taken steps to “notify and advise the affected party accordingly”. An email from CyberSecurity Malaysia dated May 27 then closed the case on Dr Suresh’s complaint that he had filed with them on May 22.
That makes it just the latest data leak in Malaysia in the past two weeks. Last May, a JPN database containing the personal details of around 22.5 million Malaysians went on sale online. The seller of it even provided Interior Minister Dato Seri Hamzah bin Zainudin’s personal data as proof. You can read more about it here.[ SOURCE 2 ]