Data Theft Is Rising in Malaysia — How to Protect Your Business

CyberSecurity Malaysia has reported a steep increase in data theft incidents across the country. The numbers paint a troubling picture: data-related cybersecurity incidents have surged significantly year-over-year, with small and medium enterprises bearing a disproportionate share of the impact.

If you are an SME owner in Malaysia, this is not someone else's problem. It is yours.

The Numbers Tell the Story

Malaysia consistently ranks among the top countries in Southeast Asia for reported data breaches. MyCERT (Malaysia Computer Emergency Response Team) has tracked a sharp upward trend in data theft incidents, with system intrusions and data exfiltration forming an increasing proportion of total cybersecurity reports.

The reality is likely worse than the statistics suggest. Many breaches go undetected for months, and not all victims report incidents to authorities.

Why SMEs Are Prime Targets

Large corporations invest millions in cybersecurity teams and enterprise-grade tools. SMEs typically do not — and criminals know this. Attackers deliberately target smaller businesses because:

• Fewer security controls — Many SMEs lack basic protections like multi-factor authentication or endpoint detection
• Valuable data — Customer records, payment information, employee details, and intellectual property are all monetisable on dark web marketplaces
• Gateway to larger targets — If your business supplies services to a larger corporation, compromising you can provide access to their systems (supply chain attacks)
• Limited monitoring — Without dedicated security staff, breaches often go unnoticed for weeks or months

Common Causes of Data Theft

Understanding how breaches happen is the first step to preventing them:

Weak and Reused Passwords

The most common entry point remains compromised credentials. When staff use simple passwords or reuse the same password across multiple services, a breach anywhere becomes a breach everywhere.

Unpatched Systems

Software vulnerabilities are discovered daily. When businesses fail to apply security updates to their operating systems, applications, and plugins, they leave known doors open for attackers.

Phishing Attacks

Employees click on malicious links or open infected attachments. A single successful phishing email can give an attacker a foothold in your entire network.

Insider Threats

Not all data theft comes from outside. Disgruntled employees, careless staff, or former employees whose access was never revoked can all cause significant data loss.

Unsecured Cloud Storage

Misconfigured cloud services — databases without passwords, public S3 buckets, shared drives with overly broad permissions — are a common source of large-scale data exposure.

Your PDPA Obligations

Under the Personal Data Protection Act 2010 (PDPA), if your business collects, processes, or stores personal data, you are a data controller with legal obligations:

• Security Principle: You must take practical steps to protect personal data from loss, misuse, modification, unauthorised access, or accidental disclosure
• Retention Principle: You must not keep personal data longer than necessary for the purpose it was collected
• Data Breach Notification: Under the 2024 amendments, data controllers are now required to notify the Commissioner and affected individuals of data breaches within a prescribed timeframe
• Penalties: Non-compliance can result in fines of up to RM500,000 and/or imprisonment of up to 3 years

These are not theoretical penalties. The Department of Personal Data Protection (JPDP) has been actively issuing enforcement notices and conducting investigations.

Practical Steps You Can Take Today

1. Enforce Strong Password Policies

Require all staff to use unique, complex passwords for every system. Better yet, implement a password manager for your team. Enable multi-factor authentication (MFA) on every service that supports it — especially email, banking, and cloud services.

2. Keep Everything Updated

Enable automatic updates where possible. For systems that require manual patching, schedule a monthly “patch day” and treat it as non-negotiable. Prioritise internet-facing systems like your website, email server, and VPN.

3. Limit Access to What Is Necessary

Apply the principle of least privilege: every user should have access only to the data and systems they need for their specific role. Review permissions quarterly and revoke access immediately when someone leaves the company.

4. Back Up Your Data

Maintain regular backups following the 3-2-1 rule: three copies of your data, on two different types of storage, with one copy stored offsite (or in the cloud). Test your backups monthly to ensure you can actually restore from them.

5. Train Your People

Conduct regular cybersecurity awareness sessions. Focus on practical skills: how to spot phishing emails, what to do if they click something suspicious, and how to report incidents internally. Make it safe for staff to report mistakes without fear of punishment.

6. Know Your Data

You cannot protect what you do not know you have. Map out what personal data your business collects, where it is stored, who has access, and how long you keep it. This exercise often reveals surprising data sprawl.

7. Have an Incident Response Plan

When — not if — a breach occurs, you need to know what to do. Document a simple plan covering:

• Who to contact first (internal team lead, then authorities)
• How to contain the breach (disconnect affected systems)
• How to assess what was compromised
• How to notify affected parties and regulators
• How to preserve evidence for investigation

Reporting a Data Breach

If your business experiences a data breach:

1. Contain — Isolate affected systems immediately
2. Assess — Determine what data was compromised and how many people are affected
3. Report to MyCERT — Email [email protected] or call +603-8992 8888
4. Notify JPDP — If personal data was compromised, notify the Commissioner as required under PDPA
5. Inform affected individuals — If the breach poses a risk of harm
6. Lodge a police report — Required for formal investigation and insurance claims