Recently, Malaysia’s largest online payment gateway iPay88 revealed a cybersecurity incident that took place earlier this year, where its users’ card details may have been compromised.
In a statement on Thursday (11 August), the company said an investigation was initiated immediately upon the discovery of the issue on 31 May and brought in cybersecurity experts to contain the issue.
“The containment process was successfully completed and no further suspicious activity has been detected since 20 July,” it said.
The company added the investigation is still ongoing, and they are working closely with the authorities and relevant parties regarding the security violation.
“To ensure the continued safety of the card data, we have implemented various new measures and controls to strengthen the system’s security against any further incidents,” they assured, adding that they will share more updates and details on the breach in due time.
Meanwhile, the Association of Banks in Malaysia (ABM) has also assured cardholders that despite the breach, cardholders can continue to use their bank cards as normal.
However, it reminded users to closely monitor their bank statements and transaction alerts.
“In the event cardholders detect any unauthorised transactions, they should immediately contact their bank for assistance,” it said in a joint statement with the Association of Islamic Banking and Financial Institutions Malaysia (AIBIM).
At the same time, the associations said banks have taken additional countermeasures to safeguard their users, including real-time fraud monitoring to detect unusual and fraudulent card use behaviour and dual-factor authentication to prevent unauthorised transactions.
The announcement from iPay88 was not well received by Malaysians with many calling out the company for only informing the public now rather than a few months earlier when the incident had actually occurred.
Lembah Pantai MP Fahmi Fadzil also questioned why it took iPay88 more than 2 months to announce the cybersecurity breach.
In a Facebook post, he questioned why the company only announced the incident on 11 August, and without providing complete details about the amount of personal data or victims affected.
“If iPay88 is serious and genuine about handling this cybersecurity incident well, it should give financial compensation to all victims,” he said.
“This is very unsatisfactory, iPay88 should explain when exactly the company detects a data breach or theft; why it did not make an earlier announcement; and why it did not inform affected victims.”
He also called out ABM and AIBIM for not taking a proactive measure to help and compensate victims of personal data theft, who may become victims of scams.
The Lembah Pantai MP then called on the government to set up a Royal Commission of Inquiry to investigate the data breaches over the last five years thoroughly and to strengthen the country’s cybersecurity.