Astro Malaysia Holdings Data Breach Review
This is a review on the Astro Malaysia Holdings Data Breach which happened in the early year of 2018 till 2019.
In the early year of 2018, Astro’s personal customers’ data that is belonging to pay for the TV operator Astro was putted up on the internet for sale. The database that was stolen was Astro Internet Protocol TV (IPTV) customers data. The person was selling 50,000 records on the internet meaning misuse the data for their benefits. The personal data of the customer was set for the price of RM3,000 per 10,000 records. On the same year, in June 2018, around 60,000 customers’ details was leaked, which included the names, identity card numbers, mobile numbers, installation addresses, portal ID numbers, and package subscriptions information. The data was being sold for RM4,500 for 10,000 records or 45 sen a record. The data breach didn’t stop there in 2018, in August 2019, Astro Malaysia Holdings, the satellite TV operator had again suffered from a data breach that had been troubling Astro in the past 18 months. The hackers were able to gain unauthorized access to their customers’ MyKad data. The compromised information contains customers’ MyKad data like names, addresses, dates of birth, race, gender, and NRIC numbers. No financial data has been compromised in the hack.
Astro Malaysia Holdings stated that they cannot comment on the cause of the data breach incident of Astro issue by the authorities but the media group is taking necessary steps for strengthening their security. From my point of view, the hackers were able to gain unauthorized acess to the customer data because the security of their database is weak and can easily be accessed.
Based on the news released by Myce.com, the data breach incident had left Astro’s company shares suffering. Myce.com stated based on the article released by Malay Mail, the business’ shares fell by 0.68% at RM1.45 per share. Meanwhile, the effect of the incident to the client was that the customers personal information and data was stolen from Astro database and offered for sale on the internet.
After reviewing the articles, the perpetrator is still unknown but we can say that the perpetrator for the incidents can be the same person or the same group of people since the techniques of stealing the data was the same throughout the year. While these occurrences are not new, attackers continue to hack because there are no charges filed against them. Fong Choong Fook, a cybersecurity expert, says that
“no one gets persecuted since the last telecommunications data leak.”
Fong Choong Fook
Astro was made aware of the incident on Jan 26 and had taken actions. To address this situation, Astro Malaysia Holdings claimed that they have addressed the incident immediately and stopped the unauthorized access. Astro also reported this incident to authorities and has been working closely with them. These entities include the local police, Department of Personal Data Protection (PDPA), and Malaysian Communications and Multimedia Commission (MCMC). MCMC had the search engine provider remove the link that are selling customer’s personal data and all trace of customers’ data online had been removed immediately. Maxis Broadband Sdn Bhd was requested to help with the investigation as the IPTV customers’ details that have been specifically provisioned by Maxis got leaked. Astro also took steps to strengthen the security system of their network and avoids from having this kind of incidents in the future.
Discussions
Classifications
The attackers hacked into the Astro’s database and offered the customers’ details for sale on the Internet, so the data breach incident was motivated by financial gain. Any people who want these details are willing to pay the hackers for them to use for other things. The main target of the hacker is the Astro company and the Astro customers. The hackers targeted them because there are possibles that Astro’s database security isn’t as strong as we think it, and it was relatively easy for them to obtain unauthorised access. The hackers also targeted them because there are many customers subscribe to Astro’s package and Astro has many different kind of customers. The media group of Astro did say that they will improve in strengthen their security in order the data breach won’t happen in the future. The skill level of the attacker is hacker level because the hacker have the experience and knowledge to access the database of Astro’s. By obtaining unauthorised access to Astro’s database, the hacker was able to steal customer details such as their name, phone number, IC number and etc.. Information theft and unauthorized access and is the type of security accident. The hackers allegedly gained access to the database without the company’s knowing and stealing the customers’ data. The role of computer in this incident was as the instrument of the crime. The hackers would probably be using a computer to hack into Astro’s database and stealing the customers’ information and storing the data into their computer. The level of privilege is unclear as Astro did not announce or give any information about who would possibly be the perpetrator of the data breach incidents whether they are an outsider or an insider of the company.
Civil Case of the Astro Data Breach
Data breach is a criminal case because this is an action of stealing an individual data for their own satisfaction. However, it can be a civil case too, depends on the situation.
A situation we can say it can become a civil case if Maxis Broadband Sdn Bhd fined Astro Malaysia Holding because the IPTV customers’ details that have been specifically provisioned by Maxis got leaked. Since Astro and Maxis teamed up to offer TV content and fiber broadband as one package. Customers that is using that collaboration package data had been leaked since the hacker were able to hack into Astro’s database. This is showing that the Astro’s security for their database was not strong enough to block the hacker from accessing the database. Eventhough the customers’ MyKad data was stolen. Astro’s Malaysia Holdings can be fined or sued for not able to be aware about the protection of the subscribers data . Therefore, this leads to Maxis fining Astro for not able to protect the data of the customer of their broadband for this package.
From the situation above, if Astro is only focusing on the content of their media and not paying much attention to their security system and cybersecurity protection, this can lead to a civil case. A lack of cybersecurity awareness can be the reasons why the security of Astro system isn’t that strong and the hacker can easily access and steal the information in their database. Based on this situation we can say that the civil offense found is having minimal care for their security system and being careless with managing the data of their customers. The offence that can given to Astro Malaysia Holdings is a fine or a punishment.
Improvement or Suggestions for Personal Data Protection Act (PDPA) of Malaysia
The Personal Data Protection 2010 (Act 709) is an Act that regulates the processing of personal data in regards to commercial transactions. There are 7 principles in PDPA which is general, notice and choice, disclosure, retention, security, access and data intergrity principle.
There are many points to Personal Data Protection Act (PDPA) of Malaysia 2010 on where it should be improved and here we shall focus on two points. The first point for the PDPA to improve is that they should increase the financial penalties to the organization for data breach as the organization failed to protect and secure the personal data of individuals, public and private sectors in Malaysia. The cause of the data breach is because the security of the organization aren’t strong enough and lead to the attackers having an unauthorized access to the organization server. The increase of the financial penalties towards the organization can help to make sure the organization take the data breach issue matter seriously.
The second point for PDPA to improve in is the privacy by design. Under the current rules, there is no requirement for data users to enforce privacy planning in process of developing a digital system in an organization. To reduce the risk of data breaches in Malaysia, we must recommend the data users to implement privacy with design that is a proactive security measure into a new system of life cycle built by them. Therefore, guidelines, guidance or awareness in implementing the privacy by design is needed.
Artifacts (Evidence/Resources)
- Personal data of Astro customers offered for sale online
Vijandren (2018, June 6)
Personal data of Astro customers offered for sale online | Lowyat.NET
The technology news portal Lowyat.net explained on the stumbled upon an offer for sales of personal customer data belonging to pay TV operator Astro. - Astro customer data and personal details leaked yet again
Vijandren (2019, August 22)
Astro customer data and personal details leaked yet again | Lowyat.NET
The portal is sharing that the Astro’s customer data and personal details have been breached again with over 60,000 customers. - Astro Suffers Data Breach, Incident Came Right After the First
Maricar Sze (2019, August 26)
Astro Suffers Data Breach, Incident Came Right After the First – Myce.com
The Myce portal stated that Astro Malaysia Holdings Bhd suffered another data breach in August 2019. Hackers gained access to the MyKad data of Astro customers’ which includes the IC number, date of birth, address, race, and gender. - Astro customers’ MyKad data got compromised due to a data breach
SPAMfighter News team (2019, October 9)
Astro customers’ MyKad data got compromised due to a data breach (spamfighter.com)
SPAMfighter New team stated that Astro has reported the incident to authorities and has been working closely with them. - Data privacy laws: Malaysia has a long way to go
Naufal Fauzi (2019, February 12)
Data privacy laws: Malaysia has a long way to go (nst.com.my)
The news portal highlighted the lack of PDPA such as PDPA 2010 is inapplicable if the personal data is processed outside Malaysia. - Introduction to PDPA
Mazmalek bin Mohamed
Introduction to Personal Data Protection in Malaysia (pdp.gov.my)
A slideshow by Mazmalek bin Mohamed the Director General of Personal Data Protection Department is talking about PDPA 2010 (Act 709) and the importance of Act 709.
Nur Atiqah binti Kamal CB20178 