[UPDATED] MySejahtera ‘Super Admin’ downloaded 3 mil users’ data to protect it: deputy minister

KUALA LUMPUR – The downloading of personal details of some three million MySejahtera users back in October 2021 was part of a security measure to protect their data due to a cyberattack on the Covid-19 tracking app at the time.

This was revealed by Deputy Health Minister Lukanisman Awang Saini, who told the Dewan Rakyat that the app’s “Super Admin” was forced to take the measure during the attack.

“On reports that three million data had been downloaded by a Super Admin, that was a safety measure taken when an attack happens,” he said today.

“The Super Admin had to act and download the data. However, I can’t comment in detail in this House as the case is currently under police investigation.”

Meanwhile, commenting on the recent auditor-general’s (A-G) report that there were 1.12 million attempted cyberattacks against the MySejahtera app, Lukanisman said the platform operator was able to fend these off, adding that no leakages happened.

The deputy minister was responding to a question from Datuk Ahmad Yunus Hairi (Kuala Langat-PN) on what guarantees the government can provide on data security following the attempted breach as reported by the A-G.

Previously, the A-G’s report had noted that a Health Ministry-approved Super Admin, an account with full access to security settings and administrative features of the MySejahtera app, had downloaded the data of three million vaccine recipients over three days beginning October 28, 2021.

The report revealed that the downloading of information was done with the help of multiple internet protocol addresses, and that the Super Admin account was later cancelled on November 2 the same year – two days after its final data download. 

Besides that, the A-G also revealed that a single IP address had tried 1.12 million times to break into the MySejahtera app database, beginning from October 27, 2021 – the day before the Super Admin download.

Following this, MySejahtera developers Entomo Malaysia had taken down the IP address and installed a firewall on November 1. 

On February 23, Communications and Digital Minister Fahmi Fadzil said he has instructed Cyber Security Malaysia to probe into the alleged data breach involving MySejahtera, and that the agency would announce the investigation’s outcome soon.

MySejahtera purchase capped at RM160 mil, certain payments made

To a supplementary question by Dr Kelvin Yii Lee Wuen (Bandar Kuching-PH), Lukanisman told the lower House that the Health Ministry has held negotiations with MySJ Sdn Bhd on the potential acquisition of MySejahtera, with its decision to be presented to cabinet in the near future.

The cabinet, he said, will then also decide on the app’s direction – whether to continue using it as a digital public health super app or for other matters.

He said the proposal for the super app will see MySejahtera become a data platform gathering health information on the Malaysian population.

According to Lukanisman, the Finance Ministry has set a ceiling price of RM160 million if the government decides to go ahead with its plan to acquire MySejahtera, adding that certain payments have already been made.

“I will furnish these data in writing to Bandar Kuching,” he said.

The Health Ministry’s contract with MySJ on the use of the MySejahtera app, which began on April 1, 2021, is set to end on March 31 this year.

On how much it will cost the government to continue maintaining the app upon the end of the contract, Lukanisman said this will only be decided then. – The Vibes, February 27, 2023