Personal Data From 3 Million MySejahtera Users Were Downloaded Without Authorisation

Personal data from three million MySejahtera users have been downloaded without authorisation back in 2021. This was revealed by the Auditor General Report 2021 Series 2 dated 6 January 2023 which has just been released to the public earlier today.

The unauthorised download was made by a single MyVAS Admin account that has been provided with a Super Admin access level. While MySejahtera has a total of 882 administrator accounts, only 56 of them were MyVAS Admin accounts:

However, all 56 users have been individually identified by the Ministry of Health (MoH). Curiously, the report also said that the misused Super Admin account was created with the approval from MoH in the first place.

In terms of the data source, the account performed the download through the Vaccine Admin section of the MySejahtera platform. This particular section of the platform is where administrators are able to download and upload vaccination appointments, records, and exclusions from or to the platform’s database.

Administrators can also update and delete vaccination records via this section as well. The report noted that data was siphoned from the platform from 28 to 31 October 2021 over five different IP addresses, according to an e-mail that was sent by KPISoft to the National Security Council (MKN) on 2 November 2021.

However, the National Audit Department were not able to determine the exact data fields that were downloaded by the account. After the account was blocked, the National Cyber Security Agency (NACSA) was then informed of the incident before a police report was made on 5 November 2021.

This incident is still under police investigation although our quick check at a very well-known database marketplace forum showed that there are currently two sale listings that claimed to have data that were sourced from MySejahtera. One of them was listed back in October 2022 and was said to contain around 700,000 of lines while it also came together with a price tag of just USD250 (~RM1,101).

As for the second listing, it was put up on the marketplace in January 2023 although the seller said that the database was obtained in October 2022. This particular listing seemed to be much more advanced though as not only it featured the raw MySejahtera data with around 12.8 million rows but there is also a separate database that has been cross-referenced with the electoral roll from the Election Commission (SPR).

Together, they are being sold at USD4,800 (~RM21,140). While it is unclear whether these listings were related to the unauthorised download made by the Super Admin account, we certainly can’t ignore their existence as well.

Meanwhile, the timing of the revelation made by the latest Auditor General Report is rather peculiar given that the government is planning to table a new cybercrime law this July. That being said, we are not so sure if the authorities are able to pinpoint the preparator though, considering that it has been more than a year has passed since this incident was reported to the police.