Back in July 2021, the Ministry of International Trade and Industry (MITI) required companies to register their staff for the Public-Private Covid-19 Industrial Immunisation Programme (PIKAS). Personal data of the employees involved in the program may have been exposed, according to a cybersecurity expert.
Suresh Ramasamy, in a LinkedIn post, showed screenshots of a file directory under the PIKAS website. Among the files found in there were spreadsheets that are the ones that companies were supposed to submit to MITI via the PIKAS system. The spreadsheets in question had the names, IC numbers, employee ID, age, gender and contact numbers of the companies’ staff. From one of the screenshots posted, the spreadsheets had file names that look like they reference the companies that submitted them.
In the post, Suresh claims that the directory in question may have been intentionally left it open. Supporting his claim, he points to another directory called “logs” with files starting with the name Laravel. This is referencing Laravel application logs that are left open to provide vendor access for troubleshooting purposes. As for why the directory was left open, Suresh’s hypothesises that it either involves remote work, easier file transfer to a different server, or straight up malicious intent involving the sale of the data in question.
CodeBlue reports that the MITI PIKAS site in question was taken down shortly after Suresh published the LinkedIn article. There’s also no way to tell the duration of which the directory was left open beyond MITI’s own server logs.
This comes hot on the heels of two other recent privacy concerns including the issue surrounding the MySejahtera app and ownership of the app’s data. Another is the data leak that purportedly came from the National Registration Department (JPN) although Home Minister Hamzah Zainudin has since denied this.
