I was asked to comment on Malindo Air’s latest data breach incident by South China Morning Post, Malaysian Reserves and Global Data Review.
Malindo Air, a subsidiary of low-cost airline Lion Air, has suffered a massive data breach, resulting in the information of millions of passengers – including passport details, home addresses and phone numbers – being leaked onto data exchange forums last month.
In South China Morning Post’s article title ” Malindo Air confirms data breach, exposing millions of passengers’ personal data“, it was reported-
Cyber law and technology lawyer Foong Cheng Leong said that companies in breach of Malaysia’s Personal Data Protection Act are not under any legal obligation to notify the authorities, the public, or the victim of the leak, although this lacuna is being reviewed.
There is no data breach notification rule in Malaysia under this Act. However, there is of course a moral obligation on the part of the company to notify the subject and the public,” said Foong.
Unfortunately in Malaysia these data breaches happen often, but if nobody knows about it nothing happens. During past breaches, there were some investigations but no prosecutions and no repercussions.
In the Malaysian Reserve’s article titled “Experts call for tougher law on data breach as Malindo Air becomes latest victim“, I said-
“There should be a data breach notification law. Data subjects have the right to know that their information has been compromised and take steps to secure the data,” Bar Council’s information technology and cyber laws committee deputy chairman Foong Cheng Leong told The Malaysian Reserve in an earlier report.
He added that the Personal Data Protection Commissioner had introduced a consultative paper to propose the mandatory disclosure, but the progress has been muted so far.
Currently, parties suffering from a data leak in Malaysia are not obliged to notify the authorities or the victims.
“In Europe, under the general data protection regulation, any companies including foreign firms with an office and/or serve the European region are required to lodge a report of any data breach within 72 hours.
“Organisations face the risk of a fine up to 4% of global revenue in the event of a data breach,” Foong said.
Lastly, in Global Data Review’s article titled “Lion Air Group data breach affects more than 30 million customers“, it was reported-
Foong Cheng Leong, a partner at Foong Cheng Leong & Co in Kuala Lumpur, said Malindo Air may have fallen foul of the country’s Personal Data Protection Act. This can attract criminal sanctions: a fine up to 300,000 ringgit (€65,000) and prison sentences of up to two years.
In spite of this, Leong said enforcement may not be forthcoming. He said that the government has yet to make a prosecution under the law for a data breach in spite of “numerous high-profile data breaches” in Malaysia since the law came into force.
Leong said Malindo Air might be liable under other data protection laws in the region. “However, it is not known if the data protection authorities will take or have the power to take any action against Malindo Air”, he said.
Leong said that the issue has drawn attention to the absence of notification requirements in Malaysia’s data protection law.