A government website by the Ministry of International Trade and Industry (MITI) may have inadvertently exposed personal information of employees registered for the Public-Private Covid-19 Industrial Immunisation Programme (PIKAS), a cyber security expert claimed.
PIKAS is a Covid-19 vaccination programme for the manufacturing sector and it was launched when the country first began rolling out the vaccines to the public.
According to a report by CodeBlue, the discovery was highlighted by Dr Suresh Ramasamy, who formerly headed IT security at a bank and two telcos in Malaysia, as he claimed that a server under MITI’s PIKAS website at pikas.miti.gov.my seemingly had a directory that stored over two thousand files.
These files are apparently the same files that companies had to upload onto the PIKAS website last year when PIKAS began in June 2021 and each file had the details of the company’s staff, which included their name, IC number, employee ID, age, gender and contact details.
“Some of the organisation names indicate a large number of staff (based on publicly known data), which gives rise to the conclusion that there were more than a million records of personal information that was left open for anyone to access,” said Suresh.
“Since it’s left open, it’s best to confirm that the data is probably out in the wild, to anyone who has access to the internet,” he added.
Meanwhile, Dr Suresh said the storage directory was left open along with many others, so it could’ve been left open intentionally.
This is due to the directory called logs, with filename starting with ‘laravel’. He explained that these ‘laravel’ application logs are left open to provide the vendor access for troubleshooting the application.
As for why the Excel files were left out in the open though, Dr Suresh suggested that there could be 3 possibilities, and they are:
- “An eager beaver wants to take home work, asks IT admin to leave the files open so that they can copy it at home and do that number crunching so that M gets his report on time.
- IT dev team needs the files to do some batch processing and needs to transfer the files to a different server, leaving an open directory makes it easy to move files around.
- Malicious staff wants to sell data to interested parties, and has access to the server to move files around.”
Dr Suresh also said it was unknown how long the information was left open. “Only MITI IT folks will be able to tell based on the server logs (if that is enabled).” he added.
The PIKAS website was taken down as at the time of writing, but MITI has yet to release a statement on what happened.
It appears that the CyberSecurity Malaysia seem to know about this potential data leak, with CodeBlue noting that they had told Dr Suresh that they’ve taken action to ‘notify and advice the respective party accordingly’.
An email from CyberSecurity Malaysia dated 27 May then closed the case on Dr Suresh’s complaint that he had filed with them on 22 May.
Last month, a massive data leak was reported, where a JPN database containing the personal details of approximately 22.5 million Malaysians was found for sale online. The seller even provided the personal data of Home Affairs Minister Dato Seri Hamzah bin Zainudin to show that the database was legit.
What do you think about this? Share your thoughts!