An FMT reporter, acting on a tip-off from an anonymous source, was able to access the registry’s database and see the NRIC numbers, phone numbers, addresses and other data pertaining to more than 17,000 patients.
All the data was downloadable and editable.
The source, based in Canada, said he stumbled upon a broken link on the website when he was looking for information on Malaysian neurology patients.
He pointed to the page with the HTML scripting error. The reporter went to the page and saw the database link as well as the username and password for accessing it.
The link also appears on Google search.
“I must say this is a shame to the country for not protecting patient data and violating patients’ confidentiality,” said the source.
“It doesn’t even take an IT person like me to figure out how to get the data.”
The registry, sponsored by the health ministry, was developed in 2008 by Rocket Integration Technology, a company based in Shah Alam.
The expose comes just weeks after Lowyat.net exposed weaknesses in security protocols used by the Cost of Living Aid website. Bank account numbers could be seen on the website just by inputting NIRC numbers.
IT lecturer Selvakumar Manickam of Universiti Sains Malaysia told FMT he had stress-tested plenty of government websites.
“I’ll say they are easily hackable” because “developers are too lazy to do a proper job,” he added.
He said programmers would need to fine-tune file access permission after building websites. “But this is a tedious job. So they just leave the access unchanged, allowing the websites to be easily hackable. They do that because it makes life easier for them.”