KUALA LUMPUR – When “Abdul” purchased a new mobile number a couple of months ago, he was not expecting any issues when logging back into the MySejahtera app.
Far from it, the 60-year-old retiree residing in Kepong was given a rude shock to find out that his account – signed in using his new registered number – now bears a different name, “Haikal”, who lives in Penang and is not fully vaccinated, according to his MySejahtera record.
Abdul suspects Haikal was the previous owner of the mobile number.
Abdul’s biggest fear is that his case could be just one of many faced by other MySejahtera users in the country, raising serious concerns of possible personal data abuse.
“For one, another person could have bought my old number and similarly have access to my MySejahtera account and whatever information within,” he told The Vibes today.
“This person could even be unvaccinated and because of this flaw in the app, he can travel around as he wishes using my vaccine certificate.
“In a worst-case scenario, anti-vaxxers may even try their luck and purchase new numbers in the hope that the previous owner is fully vaccinated and that this is updated in the app.”
Abdul also fears that Haikal might lodge a police report against him for impersonation and supposedly “stealing” information from his MySejahtera account.
While he has found a workaround – he now has to log in using his personal email in order to regain access to his account – this does not solve the bigger issue of data abuse.
This has raised further questions on the security aspect of MySejahtera, which had only very recently drawn flak after scores of users received unsolicited emails and one-time password (OTP) messages for check-in QR registrations.
One netizen had pointed out in a Lowyat.net forum that anyone can deliver OTP texts to random phone numbers by running certain codes, due to a lack of security features in the government-developed app.
The Health Ministry (MoH) has since responded, saying the false emails and text messages are the result of third-party misuse of the MySejahtera application programming interface and not due to a database leak.
It also claims that the security aspects of the app have since been beefed up to avoid any reoccurrences of the problem.
Abdul – who shared his painful experience of using MySejahtera to The Vibes after an article on the unsolicited messages was published earlier today – said his biggest complaint is that despite multiple attempts to get MoH to resolve his issue, it has yet to be fixed.
He said he is perplexed by the lack of action as the matter could easily be addressed by the service provider simply via unlinking a mobile number from its previous owner as soon as it changes hands.
Sharing screenshots of his conversation with a MoH official, Abdul noted how he was merely told to create a new MySejahtera ID if he is still facing issues logging in using his mobile number.
“If the phone number is still being used by the old user for MySejahtera, we won’t be able to do anything. (You) need to create a new account with a different ID,” one of the messages from the health personnel read.
Abdul, however, argued that this matter should not be taken lightly and MySejahtera must not wash its hands of the issue as it involves the personal data of other individuals.
“As long as this phone number portrays the information of its previous owner, it is a huge offence,” he said. – The Vibes, October 20, 2021
.jpeg)
