Recently, it was reported that a former employee of Astro was sentenced to 4 years’ imprisonment by the Sessions Court here today after pleading guilty to 731 charges of tampering with the company’s database over nearly 7 years.
According to the facts of the case, former employee of Astro, who had worked with Astro since 2003, was granted access to the company’s internal AMDOCS Customer Relationship Management (CRM) system through 2 user IDs registered under her name had, without authorisation, converted 731 regular paying customer accounts converted into corporate accounts, which were non-paying accounts created solely for the company’s internal use during the period from October 30, 2013 and August 20, 2020.
According to the prosecution, the actions of the former employee have affected the integrity and reliability of Astro’s computer systems, particularly the CRM system, which is the company’s core customer management and transaction system.
Under the Personal Data Protection Act (PDPA), employers (as data controllers) are legally required to report database breaches that cause or are likely to cause significant harm and Astro must report the breach to the Personal Data Protection Commissioner (PDPC) if the incident is likely to cause "significant harm" to affected individuals.
The company has a strict obligation to notify the PDPC as soon as practicable, but no later than 72 hours after discovering or suspecting the breach.
If the breach risks significant harm (such as identity theft, financial loss, or the compromise of sensitive data), the company must also notify the affected individuals without unnecessary delay.
While the employee compromised the database, the company is ultimately responsible as the data user.
According to the PDPA, the company must immediately contain the breach, investigate, and handle the notification. Depending on company policy and the nature of the breach, the employee may face internal disciplinary action or termination.
The fact that an employee caused the compromise does not exempt the company from this mandatory obligation.
Did Astro report the breaches to the office of the PDPA and if yes, when was that?
Was it on one occasion or over a period of time?
It looks like the public would not have known about the breach if not for the charge against the former employee being reported publicly due to the total number of charges proffered against her, reportedly the most charges – 731 that took 5 hours to read out in the court - ever brought against a single person in Malaysia!
On this alone, Astro already appeared to have run afoul of the provisions of the PDPA.
What were the rectification and remediation measures that were taken by Astro upon discovering these breaches?
The charge claimed that the former employee of Astro, was granted access to the company’s internal AMDOCS Customer Relationship Management (CRM) system through 2 user IDs registered under her name.
How many other or who else had 2 user IDs in Astro? Is everyone in the senior management from the CFO or Financial Controller to the CEO / MD have 2 user IDs that allowed them the same access as with the former employees?
What were the remediation measures undertaken by Astro subsequent to this breach, to ensure that other employees who still have access via the 2 user IDs would not be able to repeat the same?
Did and how the former employee benefited from this exercise i.e switching those paying customers to non paying customers?
Did Astro took any action to recoup these from the former employee?
How long those 731 regular paying customers enjoyed their non paying status?
Did Astro terminate their accounts immediately upon discovering the breaches and seek legal remediation to recover the subscriptions which these 731 accounts were paying before for that period and beyond?
Were reports lodged against the 731 accounts for `conspiring or cooperating or collaborating’ with the former employee? These 731 accounts must have consented and agreed to the act otherwise there is no beneficial interests for the former employee to undertake the conversion from a paying to a non paying account.
Astro reportedly serves approximately 5.2 to 5.7 million homes in Malaysia.
Did the breach by the former employee affects the integrity of the remaining 5 million accounts?
Did Astro notify these 5 million subscribers about the breaches and assured them on the integrity of their personal data with Astro?
Under the Personal Data Protection Act (PDPA) and civil laws, customers affected by a data breach can take action against an organisation in Malaysia.
Can the 5 million customers take action against Astro for the purported breaches?
If these 5 million customers were to take action, how would this impact the operations and financial position of Astro going forward?
Astro may claim that all the above are operational issues and they are not a liberty to divulge or respond to the public.
Does Bursa Malaysia share the same sentiment too if that is the response from Astro?
Forget about the Commissioner of PDPA.
It will be a surprise if the general public knows who is the Commissioner and what is the role of the Commissioner in overseeing and enforcing the PDPA.
Probably, she agrees with Astro that what their former employee undertaken during the period from October 30, 2013 and August 20, 2020 does not constitute a data breach within the confines and framework spelt out for the definition of a breach in the PDPA.
If that is the opinion and views of the Commissioner of PDPA, have mercy on the cybersecurity landscape for Malaysia.
FLK (leekhean.foo@gmail.com) is a content creator under the Newswav Creator programme, where you get to express yourself, be a citizen journalist, and at the same time monetize your content & reach millions of users on Newswav. Log in to creator.newswav.com and become a Newswav Creator now!
The User Content (as defined on Newswav Terms of Use) above including the views expressed and media (pictures, videos, citations etc) were submitted & posted by the author. Newswav is solely an aggregation platform that hosts the User Content. If you have any questions about the content, copyright or other issues of the work, please contact creator@newswav.com.