Bank Negara Malaysia (BNM) has instructed online payment gateway, iPay88 to undertake additional measures to further strengthen its cybersecurity controls and IT infrastructure. This came following the completion of an independent forensic investigation that was carried out due to the cybersecurity breach encountered by iPay88 earlier this year.

With the investigation recently concluded, BNM noted that iPay88 has taken the necessary containment and rectification measures to address the gaps that were identified. However, it also said that additional safeguards must be implemented to better protect iPay88’s operations and data against future threats, ensuring that similar incidents do not reoccur.

“BNM will continue to closely monitor iPay88’s implementation of these measures, and where appropriate, will undertake further supervisory or enforcement action,” the central bank further noted in a statement, adding that it has also directed banks and card issuers to remain alert and continue monitoring cards that may be at risk. Customers will be contacted if suspicious activities are detected.

Furthermore, BNM reassured the public that Malaysia’s banking and payment systems continue to remain secure. “Under existing payment card rules, customers will not be liable for any fraudulent or unauthorised transactions, as long as customers have taken reasonable precautions to safeguard their payment cards,” it stated.

Meanwhile, in a separate statement, iPay88 clarified that the cybersecurity incident was “the product of a sophisticated intrusion by an unidentified party or parties”, targeting specifically card data from online transactions. There was no impact on the data from transactions made through other channels, including Android terminals, e-wallet QR payments, online banking, BNPL vending machines, point-of-sales (POS), and batch card payment.

iPay88 also acknowledged its responsibility in protecting its customers’ card information, and confirmed that it has taken the necessary steps to contain the situation as well as ensure all transactions are secure. These were successfully completed by 20 July 2022. “We respectfully apologise to the Malaysian public, our business partners, and merchants for this incident,” it further said.

“We would also want to reassure the Malaysian public that, substantively, Malaysian cards are protected against unlawful and fraudulent use by the 3D secure system which requires online transactions to be verified by the use of a one-time pin sent directly to cardholders,” iPay88 added, noting that it is already cooperating with other industry players to reduce the risks that could have stemmed from this incident, and will invest more resources to enhance its cybersecurity.

In August 2022, iPay88 revealed it was the victim of a data breach back in May 2022, which in turn, caused customers’ card data to be compromised. While it did not offer any explanation as to why the breach was only disclosed two months after its occurrence, iPay88 stated that it had immediately initiated an investigation on 31 May upon discovering the breach, and had been working closely since with the authorities and other relevant parties on the matter.

(Sources: BNM, iPay88)

• TAGS:
• Bank Negara Malaysia
• BNM
• Cybersecurity
• Data Breach
• iPay88
• Online Payment Gateways