The grand debut of Pangkalan Data Utama (Padu database) in Putrajaya turned into a disconcerting episode as critical flaws marred the government’s ambitious digital venture mere hours after its public unveiling. While the MyKad-related issue raised by former Deputy Minister Ong Kian Ming garnered attention, a more severe concern emerged, with developer @drmsr_dev revealing a vulnerability allowing Padu account passwords to be changed effortlessly using one’s IC number.
Immediate Identification and Resolution:
Screenshots shared on social media by @drmsr_dev demonstrated the potential exploitation of this flaw through API calls. Responding promptly, the Padu team, under the acknowledgment of the Ministry of Economy, swiftly addressed the security lapse by altering the API to rectify the vulnerability. The ministry, via a tweet, not only confirmed the issue but also emphasized ongoing improvements, characterizing the discovery as “positive criticism.”
Impact on Public Confidence:
Padu, entrusted with the personal data of millions of Malaysians, has perennially faced security concerns. The revelation of this critical flaw intensifies existing apprehensions, potentially undermining public confidence in the centralized database designed to enhance government policies and subsidy distribution. With a history of data leaks involving government agencies like Socso, JPN, and MCMC, this newfound vulnerability amplifies skepticism.
Challenges to Padu’s Objectives:
The success of Padu hinges on obtaining up-to-date details from the majority of the population. The exposed security flaw raises doubts about whether the public will trust the government’s ability to secure their data, potentially hindering the project’s success despite significant financial investment. Questions surrounding Padu’s testing and security audits before its launch have emerged, overshadowing the prompt fix by the administrator and underscoring the imperative for robust safeguards in critical digital initiatives.