S’porean Motorists Risk Leak Of Personal Info Through VEP Application
Starting from October, Singaporean motorists will need to apply for a vehicle entry permit (VEP) to visit Malaysia.
On Friday (26 Apr), MS News reported that motorists can register at Malaysia’s VEP website.
If you haven’t registered for a VEP yet, then hold on and take a breather.
Motorists could get their personal information leaked due to a loophole, reports The Straits Times on Friday (26 Apr).
Here’s our detailed summary of the saga, which could impact thousands of registered locals.
Personal data viewed by other VEP holders
On Friday (26 Apr), Singaporean driver Mohamadd Hafiz sent the website’s URL to his nephew so he could register too.
He recalled in an interview,
When he opened the page, he was surprised he was staring at my own details and not his.
Mr Hafiz, an IT specialist, made slight modifications to the URL.
He quickly discovered the personal data of other motorists such as their address, passport number, email and phone number.
For starters, here’s a sample VEP profile.
Mr Hafiz said that Malaysian authorities should have done a website penetration test so that personal data was not easily available.
The Straits Times contacts Malaysian authorities
Upon the discovery of the loophole, The Straits Times contacted Malaysian authorities at 12:00pm on Friday (April 26).
The site was under maintenance a few hours later.
As of 11:00am on Saturday (April 27), the VEP Portal is back in action.
Risk of access for shady purposes & marketing ploys
According to Mr Roger Rajan from JMS Rogers, companies in the finance and marketing industry can access the information.
He told The Straits Times,
Some business people would be overjoyed to have this type of information for free. With it, background checks can be done.
Applicants may also be targets for loan scams and marketing ploys.
While passwords can easily change, addresses and passport numbers don’t share the same fate.
Mr Aloysius Cheang – an executive of the Centre for Strategic + Security Science – said that the leak meant addresses and passport numbers were longer an effective means to verify an individual’s identity.
Malaysia’s Personal Data Protection Act (PDPA)
The Malaysian Personal Data Protection Act 2010 had a set of requirements and responsibilities for businesses that aggregate the personal information of employees and customers.
The penalty for violating the act is a fine not exceeding RM 300,000 ($98,870) and/or imprisonment not exceeding 2 years.
Mr Foong Cheng Leong – a lawyer who specialised in data protection – told The Straits Times that the PDPA does not apply to Malaysian government agencies.
There may be no recourse against the Government unless there is a breach of contract. But the data subjects may still sue for negligence.
Keep waiting for updates
There’s still a few months before October so stay tuned for updates.
VEP applicants should wait for Malaysian authorities to solve the website’s issues.
In the future, we hope businesses and organisations will conduct tests to ensure that users’ personal information will remain private.