Starting from October, Singaporean motorists will need to apply for a vehicle entry permit (VEP) to visit Malaysia.
On Friday (26 Apr), MS News reported that motorists can register at Malaysia’s VEP website.
If you haven’t registered for a VEP yet, then hold on and take a breather.
Motorists could get their personal information leaked due to a loophole, reports The Straits Times on Friday (26 Apr).
Here’s our detailed summary of the saga, which could impact thousands of registered locals.
On Friday (26 Apr), Singaporean driver Mohamadd Hafiz sent the website’s URL to his nephew so he could register too.
He recalled in an interview,
When he opened the page, he was surprised he was staring at my own details and not his.
Mr Hafiz, an IT specialist, made slight modifications to the URL.
He quickly discovered the personal data of other motorists such as their address, passport number, email and phone number.
For starters, here’s a sample VEP profile.
Mr Hafiz said that Malaysian authorities should have done a website penetration test so that personal data was not easily available.
Upon the discovery of the loophole, The Straits Times contacted Malaysian authorities at 12:00pm on Friday (April 26).
The site was under maintenance a few hours later.
As of 11:00am on Saturday (April 27), the VEP Portal is back in action.
According to Mr Roger Rajan from JMS Rogers, companies in the finance and marketing industry can access the information.
He told The Straits Times,
Some business people would be overjoyed to have this type of information for free. With it, background checks can be done.
Applicants may also be targets for loan scams and marketing ploys.
While passwords can easily change, addresses and passport numbers don’t share the same fate.
Mr Aloysius Cheang – an executive of the Centre for Strategic + Security Science – said that the leak meant addresses and passport numbers were longer an effective means to verify an individual’s identity.
The Malaysian Personal Data Protection Act 2010 had a set of requirements and responsibilities for businesses that aggregate the personal information of employees and customers.
The penalty for violating the act is a fine not exceeding RM 300,000 ($98,870) and/or imprisonment not exceeding 2 years.
Mr Foong Cheng Leong – a lawyer who specialised in data protection – told The Straits Times that the PDPA does not apply to Malaysian government agencies.
He said,
There may be no recourse against the Government unless there is a breach of contract. But the data subjects may still sue for negligence.
There’s still a few months before October so stay tuned for updates.
VEP applicants should wait for Malaysian authorities to solve the website’s issues.
In the future, we hope businesses and organisations will conduct tests to ensure that users’ personal information will remain private.
Featured image from Edgeprop and Malaysia Vehicle Entry Permit.
A record of more than 553,000 travellers crossed both checkpoints on 13 Dec.
There has been no year-end Covid-19 wave, as had been expected.
The beef was imported without a veterinary health certificate and halal certification.
One fan started queueing as early as 7am.
The company made the change after parents said they wanted to make sure their gifts…
An incredible twist of fortune for the police -- and a stroke of bad luck…