Attempts from a ‘super admin’ account to download information of three million vaccine recipients from Oct 28 to Oct 31, 2021, using five IP addresses.
There were a total of 1.12 million cyber-attack attempts against the MySejahtera app, according to the Series 2 of the 2021 Auditor-General’s report.
Citing the minutes from the MySejahtera security meeting in 2022, the audit findings on the Health Ministry and National Security Council’s Management of Covid-19 Vaccine Recipient Registration and MySejahtera App revealed that cyber-attack attempts began on Oct 27, 2021 using a specific IP address.
However, action was taken to beef up security, including taking down the IP address used for the attacks, installing web application firewall on Nov 1, 2021, and carrying out continuous surveillance on the app.
The Health Ministry said in its response to the National Audit Department on Sept 9, 2022, that the IP address used in the cyber attack was deactivated on Oct 28, 2021, and a police report was lodged on Nov 5, 2021.
The ministry also told the Audit Department that it has studied the cause of the attack and taken actions to improve the system.
On another note, the audit report tabled in the Dewan Rakyat on Feb 16, also found that there were attempts from a “super admin” account to download information of three million vaccine recipients from Oct 28 to Oct 31, 2021, using five IP addresses.
Further audit checks on user data revealed that the account allows access to a vaccine admin of the MySejahtera app.
Access to vaccine admin paves way for the user to download all vaccination data in bulk and even enables them to destroy the data.
As a precautionary measure, the Health Ministry had cancelled the super admin account and lodged a police report on Nov 5, 2021.
The ministry in its response to the Audit Department, said the super admin account which was authorised by the Health Ministry was abused and a request to download data of three million vaccine recipients from MySejahtera was submitted.
“As soon as the matter was discovered, the account was restricted immediately,” the Health Ministry added.
It added that the matter was under police investigation.
“The security management of the MySejahtera data and application has to be strengthened to curb cyberattacks and ensure that the data of vaccine recipients are safe,” read the audit opinions.
In its overall opinion, the report found that the management of registration of Covid-19 vaccine recipients and MySejahtera application was well implemented. – The Star