By Danial Dzulkifky
SHAH ALAM, Jan 4 — Following the launch of the country’s Central Database Hub (Padu) system on Tuesday (January 2), cybersecurity experts have suggested several measures which the Federal government can take to address the security concerns raised hours after registration was open to the public.
The system, designed to gather data from the public as part of a concerted effort, among other objectives, to provide a fairer distribution of subsidies, was launched to much fanfare but quickly garnered attention from Malaysian netizens due to several identified security loopholes.
Speaking to Selangor Journal, cybersecurity consultant Alvin Teoh recommended the government scale back the size of data they intended to collect in the initial stage to ensure the system’s stability and its efficacy in managing the large incoming data traffic.
Citing Selangor’s potential super app SELangkah and the MySejahtera app as examples, he said the government should limit the data based on age bracket before slowly expanding the datasets.
“They should implement what these apps have done, which is to conduct registration via age group first. The government can then slowly expand the number of people who can register based on age group.
“This can allow for better data management and provide ample room for the engineers or the development team to deal with issues effectively,” Teoh said when contacted.
In addressing the complaints raised, he said the development team behind the system should have been given more time to stress test its efficacy and integrity before it was launched.
Adequate development time is essential for developers to conduct quality assurance and control over the database.
“The team behind the system’s development should not be rushed to quickly deploy the application, but instead be given enough time to conduct a dry run or bench test.
“This is essential to appropriately identify and deal with issues within the system. For such a huge database, it is not prudent to launch it first and conduct hotfixes and patches as you go,” Teoh said.
Cybersecurity firm LGMS Berhad’s executive chairman Fong Choong Fook also agreed with the need for the development team to conduct a stress test on the system before its launch.
“The complaints on social media following the launch of the system show loopholes in the system, which should not have happened as the security issues shown were very basic in nature and should have been avoided,” he said, adding that such problems should have been resolved in development rather than post-deployment.
Fong also voiced concern over the system’s integrity, as a single database is considered “old school” and is more susceptible to cyberattacks.
“The nature of data now is decentralisation. With a centralised system, it is easier for attacks and hacks as criminals only need to target a single source compared to over 400 data points, comprising government agencies and departments, which Padu aims to collate data.
“The data are all critical information, like income, assets, properties, and whatever else that is attached to you personally,” he said.
Fong suggested the government should instead follow in the footsteps of its Singaporean counterpart, which opted to adopt an Application Programming Interface (API) to manage multiple data points via a single user interface to connect with various government services or databases instead of storing all the information into a single database.
On Tuesday, Prime Minister Datuk Seri Anwar Ibrahim launched Padu as part of the government’s digitalisation effort and to gather much-needed information to provide a fair distribution of subsidies.
Despite its noble intentions, the system’s integrity was questioned by Malaysians, to which the Economy Ministry responded on X that it is constantly monitoring feedback and making the necessary improvements.
Its minister Rafizi Ramli also took to the social media platform to address some of the critical security issues, such as the issue of allowing the use of an individual’s identification card number to override and change passwords, which has been resolved.
The weakness in authentication was not discovered during the Security Posture Assessment (SPA), but was swiftly addressed by the Padu team.
As of Tuesday, 233,782 people have registered with Padu, with 118,115 completing the electronic Know Your Customer (eKYC) process and 71 per cent completing eKYC verification.
He said updating information can be done immediately after logging in without going through the eKYC process.
