A recent discovery of a loophole in the Malaysian Road Transportation Department's VEP website threatens possible personal data exposure
Singaporean motorists' personal data possibly exposed in loophole on Malaysia's VEP website Information like a driver's address, contact numbers and passport details can be seen on the Transportation Department's website by simply making an alteration to the site's URL. PHOTO: SCREENGRAB FROM ROAD TRANSPORT DEPARTMENT OF MALAYSIA

Thousands of foreign motorists, including Singaporeans, run the risk of having their personal information exposed after a recent discovery of a loophole in the Malaysian Road Transportation Department's VEP (Vehicle Entry Permit) website.

Information like a driver's NRIC number, address, contact numbers, passport details and chassis information can be seen on the Transportation Department's website by simply making an alteration to the site's URL.
The data can be viewed in a matter of seconds by a registered VEP holder.
The discovery was made by accident after Singaporean driver Mohammad Hafiz "cut and pasted" the website's URL and sent it to his nephew on Friday morning (April 26) to help him register for his VEP.
Mr Hafiz, 28, told The Straits Times: "When he opened the page, he was surprised he was staring at my own details and not his."
When Mr Hafiz, an IT specialist, made some changes to the URL that showed his VEP account, he was able to see sensitive information of other motorists.
Added Mr Hafiz: "There should have been penetration tests done to the website to make sure that a motorist is looking only at his account and not others. I can't imagine what would happen if somebody had harvested the information that's freely available."
ST alerted the Malaysian authorities to the data loophole at around noon on Friday (April 26). As of 4.30pm on Friday, the ST team was still able to access the website and look at other motorists' details. But at about 5pm, access to the website was blocked, with a message alerting users that maintenance was ongoing.
The long-debated vehicle entry permit scheme is expected to be carried out in three stages, beginning with the Causeway and Second Link.
Related Story
Malaysia to implement vehicle entry permit for foreign vehicles entering from Singapore from October
Malaysia's Transport Ministry had announced on Thursday that the VEP scheme will be enforced in phases. The first phase is for foreign vehicles entering the country from Singapore through the Causeway and Second Link, and will start on Oct 1.
The second phase will involve entry points between Malaysia and Thailand, and the third phase at all entry points to Malaysia from Brunei as well as from Indonesia.
The availability of personal data on the site would come in useful  for those in the financial industry or businesses that depend on contacts, said Mr Roger Rajan from JMS Rogers, a debt collection company.
From his understanding, similar information can be bought. Mr Rajan, 48, told ST: "Some business people would be overjoyed to have this type of information for free. With it, background checks can be done. Also, by knowing what type of car a person drives, it can speak volumes about a person's lifestyle, which would make him a target for marketing ploys."
The same information could also be used for shady purposes.
Added Mr Rajan: "If the information falls into the wrong hands, some may fall victim to loan scams and other types of scams. The harassment would continue because people who acquire the information can sell the data to others."
Experts said that it is possible that the data has been accessed by external parties.
Mr Aloysius Cheang, Asia-Pacific executive vice-president of the Centre for Strategic Cyberspace + Security Science, a London-based think-tank, said the loss of such details could facilitate fraud, as personal details such as residential addresses can no longer be an effective security measure to verify someone's identity.
He said of the error on the VEP site: "This is a very common programming error, it is a schoolboy mistake... You essentially have access to the entire database."
Mr Andrew Tsonchev, director of technology at cyber-security firm Darktrace, said such vulnerabilities could be introduced during a website update.
He added: "If it's just passwords (that are compromised), you can change that, but with identification numbers and passports there is not much you can change.
"It leaves the people involved quite powerless."
One of the affected motorists contacted, who only wanted to be known as Shahrin, said he had registered for the VEP about two years ago. The bus driver, 37, said: "Now I am worried because people may misuse my particulars, such as giving my details instead of their own when they get fines."
Malaysia-based lawyer Foong Cheng Leong, who specialises in data protection laws, told ST that Malaysia's Personal Data Protection Act would not be applicable in this case as the law does not apply to government agencies.
"There would be no recourse against the Government unless there is a breach of contract. But the data subjects may still sue for negligence," he said.
Mr Lee Wai Mun, the chief executive of the Automobile Association of Singapore, told ST he was surprised that confidential information could be easily accessed.
His advice to motorists is to wait for the Malaysian authorities to sort the matter out before signing up for the VEP. He said: "Most of us visit Malaysia on a social basis, except those who travel there for business. There's plenty of time to register (for the VEP) as the enforcement of registration will only start from October."

Information like a driver's NRIC number, address, contact numbers, passport details and chassis information can be seen on the Transportation Department's website by simply making an alteration to the site's URL.

The data can be viewed in a matter of seconds by a registered VEP holder.

The discovery was made by accident after Singaporean driver Mohammad Hafiz "cut and pasted" the website's URL and sent it to his nephew on Friday morning (April 26) to help him register for his VEP.

Mr Hafiz, 28, told The Straits Times: "When he opened the page, he was surprised he was staring at my own details and not his."

When Mr Hafiz, an IT specialist, made some changes to the URL that showed his VEP account, he was able to see sensitive information of other motorists.

Added Mr Hafiz: "There should have been penetration tests done to the website to make sure that a motorist is looking only at his account and not others. I can't imagine what would happen if somebody had harvested the information that's freely available."

ST alerted the Malaysian authorities to the data loophole at around noon on Friday (April 26). As of 4.30pm on Friday, the ST team was still able to access the website and look at other motorists' details. But at about 5pm, access to the website was blocked, with a message alerting users that maintenance was ongoing.

Malaysia's Transport Ministry had announced on Thursday that the VEP scheme will be enforced in phases. The first phase is for foreign vehicles entering the country from Singapore through the Causeway and Second Link, and will start on Oct 1.

The second phase will involve entry points between Malaysia and Thailand, and the third phase at all entry points to Malaysia from Brunei as well as from Indonesia.

The availability of personal data on the site would come in useful  for those in the financial industry or businesses that depend on contacts, said Mr Roger Rajan from JMS Rogers, a debt collection company.

From his understanding, similar information can be bought. Mr Rajan, 48, told ST: "Some business people would be overjoyed to have this type of information for free. With it, background checks can be done. Also, by knowing what type of car a person drives, it can speak volumes about a person's lifestyle, which would make him a target for marketing ploys."

The same information could also be used for shady purposes.

Added Mr Rajan: "If the information falls into the wrong hands, some may fall victim to loan scams and other types of scams. The harassment would continue because people who acquire the information can sell the data to others."

Experts said that it is possible that the data has been accessed by external parties.

Mr Aloysius Cheang, Asia-Pacific executive vice-president of the Centre for Strategic Cyberspace + Security Science, a London-based think-tank, said the loss of such details could facilitate fraud, as personal details such as residential addresses can no longer be an effective security measure to verify someone's identity.

He said of the error on the VEP site: "This is a very common programming error, it is a schoolboy mistake... You essentially have access to the entire database."

Mr Andrew Tsonchev, director of technology at cyber-security firm Darktrace, said such vulnerabilities could be introduced during a website update.

He added: "If it's just passwords (that are compromised), you can change that, but with identification numbers and passports there is not much you can change.

"It leaves the people involved quite powerless."

One of the affected motorists contacted, who only wanted to be known as Shahrin, said he had registered for the VEP about two years ago. The bus driver, 37, said: "Now I am worried because people may misuse my particulars, such as giving my details instead of their own when they get fines."

Malaysia-based lawyer Foong Cheng Leong, who specialises in data protection laws, told ST that Malaysia's Personal Data Protection Act would not be applicable in this case as the law does not apply to government agencies.

"There would be no recourse against the Government unless there is a breach of contract. But the data subjects may still sue for negligence," he said.

Mr Lee Wai Mun, the chief executive of the Automobile Association of Singapore, told ST he was surprised that confidential information could be easily accessed.

His advice to motorists is to wait for the Malaysian authorities to sort the matter out before signing up for the VEP. He said: "Most of us visit Malaysia on a social basis, except those who travel there for business. There's plenty of time to register (for the VEP) as the enforcement of registration will only start from October."