PUTRAJAYA: Security concerns over the MySejahtera app are among the weaknesses highlighted in Series 2 of the 2021 Auditor-General’s report.
The report found that there were a total of 1.12 million cyber attack attempts on the MySejahtera app.
Citing the minutes from the MySejahtera security meeting in 2022, the audit findings on the Health Ministry and National Security Council’s Management of Covid-19 Vaccine Recipient Registration and the MySejahtera app revealed that cyber attack attempts began on Oct 27, 2021 using a specific IP address.
Action was taken to beef up security, including taking down the IP address used for the attacks, installing a web application firewall on Nov 1, 2021 and carrying out continuous surveillance on the app.
The Health Ministry said in its response to the National Audit Department on Sept 9, 2022 that the IP address used in the cyber attack was deactivated on Oct 28, 2021, and a police report was lodged on Nov 5, 2021.
The ministry also told the Audit Department that it has studied the cause of the attack and taken action to improve the system.
In addition, the audit report tabled in the Dewan Rakyat yesterday discovered that from Oct 28 to Oct 31, 2021, there were attempts from a “super admin” account to download information of three million vaccine recipients using five IP addresses.
Further audit checks on user data revealed that the account allowed access to the vaccine administrator of the MySejahtera app. Access to a vaccine administrator paves the way for the user to download all vaccination data in bulk and even enables them to destroy the data.
As a precautionary measure, the Health Ministry cancelled the super admin account and lodged a police report on Nov 5, 2021.
In its response to the Audit Department, the ministry said the super admin account, which was authorised by the Health Ministry, was abused and a request to download the data of three million vaccine recipients from MySejahtera was submitted.
“As soon as the matter was discovered, the account was restricted immediately,” said the Health Ministry. It added that the matter was under police investigation.
“The security management of the MySejahtera data and application has to be strengthened to curb cyber attacks and ensure that the data of vaccine recipients is safe,” read the audit opinions.
In its overall opinion, the report found that the management of registration of Covid-19 vaccine recipients and the MySejahtera app was well implemented.