Theme Editor

16px
Data Security

Data Breaches & Privacy

A data breach occurs when sensitive, protected, or confidential information is accessed, copied, or transmitted by an unauthorised party. In Malaysia, data breaches have exposed millions of personal records including identification numbers, banking details, medical records, and contact information. High-profile incidents involving telecommunications companies, e-commerce platforms, and government databases have underscored the urgent need for stronger data protection practices.

Under the Personal Data Protection Act (PDPA) 2010, Malaysian organisations that collect and process personal data must implement reasonable security measures to protect it. Breaches not only cause financial harm to individuals but can also result in significant regulatory penalties for the organisations responsible. Understanding how data breaches occur and how to protect yourself is essential in today's digital landscape.

What Is a Data Breach?

A data breach happens when security measures fail to protect personal data from unauthorised access. This can occur through hacking, malware attacks, insider threats, lost or stolen devices, or even accidental exposure due to misconfigured databases. A breach is not always the result of sophisticated cyber attacks — many occur because of basic security oversights such as weak passwords, unencrypted data, or lack of access controls.

Data breaches can affect individuals directly — leading to identity theft, financial fraud, and reputational damage — and can also undermine public trust in organisations and institutions that fail to safeguard personal information.

Common Causes of Data Breaches

Data breaches in Malaysia typically result from one or more of the following causes:

  • Cyberattacks: Hacking, SQL injection, malware, and ransomware are the most common methods used to steal data from organisations
  • Phishing and social engineering: Attackers trick employees into revealing credentials that provide access to sensitive systems
  • Insider threats: Employees or contractors with legitimate access may intentionally or accidentally expose data
  • Misconfigured databases and cloud storage: Unsecured servers and cloud buckets exposed to the internet are an increasingly common source of mass data leaks
  • Lost or stolen devices: Laptops, USB drives, and mobile phones containing unencrypted personal data
  • Weak authentication: Default passwords, reused credentials, and lack of multi-factor authentication

Impact on Individuals

The consequences of a data breach for affected individuals can be severe and long-lasting:

  • Identity theft: Stolen identification numbers and personal details can be used to open accounts, apply for loans, or commit fraud in your name
  • Financial loss: Compromised banking information can lead to unauthorised transactions and account drainage
  • Emotional distress: The knowledge that personal information has been exposed can cause significant anxiety and loss of trust
  • Targeted scams: Leaked personal data enables more convincing phishing and scam attacks tailored to the victim
  • Reputational harm: Sensitive personal information, if published, can affect personal and professional relationships

Protection Measures

While individuals cannot prevent breaches at the organisational level, there are important steps to minimise your personal risk:

  • Use unique, strong passwords for every online account and store them in a password manager
  • Enable multi-factor authentication (MFA) on all accounts that support it
  • Monitor your bank statements and credit reports regularly for unauthorised activity
  • Minimise the personal information you share online and with organisations that do not need it
  • Encrypt sensitive files on your devices and use a VPN on public networks
  • Be cautious of unsolicited requests for personal information, even from看似legitimate sources

Organisations in Malaysia are required under the PDPA to implement appropriate security measures and notify the Personal Data Protection Department (JPDP) of any breach involving personal data. If your data has been compromised in a breach, you have the right to be informed and to take legal action if the organisation failed to protect your information.

When to Take Action

Take Action Immediately If:

You receive notification that your data has been compromised

You notice unauthorised transactions on your bank or credit accounts

Your identity documents are used fraudulently

You receive suspicious calls or messages referencing personal information only an organisation would have

Report data breaches and identity theft to the police, the relevant bank or financial institution, and CyberSecurity Malaysia via the Cyber999 portal. You can also file a complaint with the Personal Data Protection Department if you believe an organisation has failed to protect your data as required by the PDPA. Taking swift action limits the damage and helps authorities investigate the breach.

Key Statistics

26,000+

Cyber999 reports received by CyberSecurity Malaysia annually

33M+

Personal records exposed in Malaysian data breaches in recent years

RM 565M

Estimated losses from cybercrime including data breaches in Malaysia