What Malaysians need to understand about the 'sayakenahack' website

What exactly is going on and what can average Malaysians actually do about it?

It hasn't been long since the Sayakenahack website was put up, but MCMC has now restricted access to the website via DNS-level blocking.

What the 'hack' is going? Let's make things as simple to understand as possible with some Q&As.

1. What? MCMC blocked a website that's not fan fiction or porn?

In a statement on its Facebook page, MCMC stated: "MCMC has taken action to block the website sayakenahack.com after receiving an application from the Data Privacy Protection Department (JPDP) under Section 130, Act 709 of the 2010 Data Privacy Act."

2. Is Sayakenahack actually safe? Or is it just a front for a data phishing scheme?

Founder Keith Rozario, who coded the site, wrote a blogpost to address concerns some people had about it. To summarise it for those who are seeking clarification (TLDR, you're welcome): he described the precautions he took to keep the site safe. For instance, hackers can't get into the site via a server because it doesn't rely on a server. Instead it utilises Amazon cloud services (Amazon S3), which means there is no server to compromise.

To be clear, Rozario doesn't state that the site is unhackable - but by removing any server from the equation and masking the data, he's at least attempted to minimise security risks. Hackers who try to pull data from the database won't even, for instance, be able to retrieve full phone numbers. He also describes just how the data is stored in the database, plus he's been pretty transparent about the code used in the website - revealing, for instance that it uses TLS to secure data and that the site has one cookie for Google Analytics.

3. Can I actually trust this guy with my information?

There's always a risk each time we give out our personal information. It is never going to go away - not until we actually start limiting how much personal data entitites are allowed to collect.

A background check on Rozario himself isn't hard. He has a website. He uses his real name. There are channels to contact him directly via social media channels. All from which we can conclude that he isn't some shady anonymous person hiding out in some dark corner of the Internet.

4. But Erna, now he has my IC, he might be selling it off! Verifying it means he made his data valuable!

Newsflash, your information has already been compromised. While there have been arguments that Rozario compiling a database with the stolen data makes him suspect, the reality is that anyone with the knowledge of where to go can access the same info. It's not as easy as a Google search, but neither is it all that difficult to procure.

What Rozario's website did was to verify whether or not your IC has been compromised. Isn't that better than not knowing that someone has all your phone numbers as well as your address and IC? 

5. So I did try the website and my information is compromised. What do I do now?

If you're upset enough, let your telco know about your grievance or consider a switch. What's particularly distressing is that the telcos have not come out to reassure customers. Jobstreet, at least, has admitted to the breach, and informed its customers about the measures it's taking to prevent something like that from occurring again. It doesn't change what happened - but being transparent about it at least reassures people that something is being done and that the brand has some sense of responsibility, as opposed to just pretending nothing happened.

Leaving customers in the dark does no one any good - except for the people who are making money selling our data to the highest bidder.