Parents could retrieve their children's examination results by entering their MyKad number.

PUTRAJAYA, June 10 — The Ministry of Education’s School Examination Analysis System (SAPS) was taken offline yesterday, following the discovery of a security exploit that could have potentially exposed the personal details of more than 10 million citizens.

Malay Mail was alerted of the vulnerability on Friday evening by a reader, who insisted on remaining anonymous and had reached out to the media after claiming the ministry had previously ignored his warning.

The paper later alerted the Malaysian Computer Emergency Response Team (MyCERT), following consultations with tech blogger Keith Rozario, who has covered data breaches extensively, and Khairil Yusof, the co-founder of local technology advocacy group Sinar Project.

MyCERT responded to Malay Mail on Saturday noon, and the website was later taken down that same day.

SAPS is a portal for students and their parents to access their examination results online, by entering the students’ MyKad number.

The data can also be retrieved by the District Education Office, National Registration Department and the Education Ministry.

“Great system, but the backend is a total failure They store millions of records of students’ detail, but they never hide this information. Some very personal details can be accessed without permission, and they are just ignoring it.

“The system has been flawed since day one,” said the anonymous source.

SAPS was launched in 2011. The source told Malay Mail he had only recently discovered the vulnerability after it updated its interface, and presumably parts of the code.

The extent of the data breach

The source claimed that he could download the data of 4,940,203 students from the server, which could potentially expose over 10.3 million Malaysians in total, since the information of each parent is linked to their children.

With 28.7 million citizens as at the first quarter of this year, according to Department of Statistics, it could have affected over a third of the total number of Malaysian citizens.

SAPS has since been taken offline following Malay Mail's report to MyCERT.

Malay Mail had sighted the nearly 1GB of data the source had managed to pull from the server, but has not yet been able to verify its authenticity. The source has since deleted his copy of the data, but not before allowing access to other media outlets.

Rozario, who went through some of the data, said although the number of people affected was smaller than previous breaches, the types of data affected were more wide-ranging.

“The data includes the MyKad numbers of students, and both their parents. Hence, it captures the marital status and spousal information of adults, as well as the information of their school-going children. It’s a breach that affects the entire family unit.

“Years from now, when these children grow up, get a job, and finally earn enough to have a credit card, the answer to their security question of ‘mother’s maiden name’ is in this breach,” he told Malay Mail.

Rozario said the data downloaded seemed to only impact children born between 1995 and 2006 — which also included the children's school details, current address, and even class and teacher information.

“It's quite easy to piece together who a child’s classmates are, and who the parents of the classmates are as well, creating a very rich data set of a child's schooling friend and family,” he said.

Rozario said the data also involved around 450,000 teachers, which included the subjects they teach, and the schools that they are attached to. Since the range of the teachers included those aged 19 to 85, the data would presumably detail those retired as well.

In his complaint, the reader said he found out that the SAPS login details were sent without a secure HTTPS connection. Anyone else who was listening would be able to monitor the teachers keying in their data, he said.

He also complained about the login mechanism as “a total joke”, since the passwords were stored in a plain text document without any encryption or hashing.

“It was like a door with no walls beside it; you could just bypass it,” the source said.

He also listed several other technical problems with the system, including the failure to “sanitise” user input, which could have prevented intruders from inserting their own code into an entry field for the system to execute.

“The exploit was an SQL injection, which could be performed by a child. Just take a lesson and around five hours, and they can get all the database from the server,” he said.

SAPS has since been taken offline following Malay Mail's report to MyCERT.

How to patch things up

In an email response, MyCERT had suggested that “the web administrator uses the Web Application Firewall as an extension to improve web security, and perform a penetration testing periodically to detect new vulnerabilities and fix it immediately”.

It also asked the administrator to “speed up patches and upgrade to existing systems or hardware and always be aware of alerts on web vulnerabilities, and update the unused folder or file and configure the ownership setting to prevent abuses by intruder”.

Malay Mail could not yet ascertain the company or ministry department contracted to develop the system, and whether they had any prior experience in the field.

“There are strong concerns on how a national public web service, which deals with the personal data of millions of parents and students who are minors, could be implemented so poorly,” Khairil told Malay Mail.

“The poor coding practices, which allowed for the security issue, would have been caught upon review by even inexperienced developers. It raises questions on the procurement of the system, and the selection criteria of information technology service providers.”

Khairil said Putrajaya should now make it a priority to conduct an IT security audit of all public websites dealing with personal data.

“Future procurement of IT services, should also include security audits as standard part of acceptance testing of solutions provided by vendors, to reduce possibility of large scale personal data leaks by government agency digital services,” he added.

SAPS was started as part of former prime minister Datuk Seri Najib Razak’s National Key Results Areas (NKRA), which started in 2009, under the education section.

Tan Sri Muhyiddin Yassin was the education minister under the Barisan Nasional administration then. He is now the home affairs minister, under the Pakatan Harapan government. Malay Mail is seeking clarification from him over his involvement with SAPS.

Newly-minted Education Minister Maszlee Malik was notified of the matter on Friday night. He has yet to respond to a request for comment.

The security exploit comes following tech forum Lowyat.net’s report last week that some 60,000 Astro IPTV customer details were being sold online in January.

The Astro leak was related to the theft of personal data also reported by Lowyat.net in November, citing the leakage of 50 million pieces of personal data from telecommunications companies and 17 million from job search sites.

The website also reportedly said that 46.2 million mobile phone numbers from various local telecommunications companies were leaked online.