Motorists' personal data possibly exposed in loophole on Malaysia's VEP website
26 Apr 2019|12,747 views
Thousands of foreign motorists, including Singaporeans, run the risk of having their personal information exposed after a recent discovery of a loophole in the Malaysian Road Transportation Department's Vehicle Entry Permit (VEP) website. Information like a driver's NRIC number, address, contact numbers, passport details and chassis information can be seen on the Transportation Department's website by simply making an alteration to the site's URL. The data can be viewed in a matter of seconds by a registered VEP holder.


ST alerted the Malaysian authorities to the data loophole at around noon on Friday (26 April). As of 4:30pm on Friday, the ST team was still able to access the website and look at other motorists' details. But at about 5:00pm, access to the website was blocked, with a message alerting users that maintenance was ongoing.
Malaysia's Transport Ministry had announced on Thursday that the VEP scheme will be enforced in phases. The first phase is for foreign vehicles entering the country from Singapore through the Causeway and Second Link, and will start on 1 Oct. The second phase will involve entry points between Malaysia and Thailand, and the third phase at all entry points to Malaysia from Brunei as well as from Indonesia.


The same information could also be used for shady purposes. Added Mr. Rajan, "If the information falls into the wrong hands, some may fall victim to loan scams and other types of scams. The harassment would continue because people who acquire the information can sell the data to others."
Experts said that it is possible that the data has been accessed by external parties. Mr. Aloysius Cheang, Asia-Pacific Executive Vice President of the Centre for Strategic Cyberspace + Security Science, a London-based think-tank, said the loss of such details could facilitate fraud, as personal details such as residential addresses can no longer be an effective security measure to verify someone's identity. He said of the error on the VEP site, "This is a very common programming error, it is a schoolboy mistake... You essentially have access to the entire database."
Mr. Andrew Tsonchev, Director of Technology at cyber-security firm Darktrace, said such vulnerabilities could be introduced during a website update. He added, "If it's just passwords (that are compromised), you can change that, but with identification numbers and passports there is not much you can change. It leaves the people involved quite powerless."
One of the affected motorists contacted, who only wanted to be known as Shahrin, said he had registered for the VEP about two years ago. The bus driver, 37, said, "Now I am worried because people may misuse my particulars, such as giving my details instead of their own when they get fines."
Malaysia-based lawyer Foong Cheng Leong, who specialises in data protection laws, told ST that Malaysia's Personal Data Protection Act would not be applicable in this case as the law does not apply to government agencies. "There would be no recourse against the Government unless there is a breach of contract. But the data subjects may still sue for negligence," he said.
Mr. Lee Wai Mun, the Chief Executive of the Automobile Association of Singapore, told ST he was surprised that confidential information could be easily accessed. His advice to motorists is to wait for the Malaysian authorities to sort the matter out before signing up for the VEP. He said, "Most of us visit Malaysia on a social basis, except those who travel there for business. There's plenty of time to register (for the VEP) as the enforcement of registration will only start from October."
Thousands of foreign motorists, including Singaporeans, run the risk of having their personal information exposed after a recent discovery of a loophole in the Malaysian Road Transportation Department's Vehicle Entry Permit (VEP) website. Information like a driver's NRIC number, address, contact numbers, passport details and chassis information can be seen on the Transportation Department's website by simply making an alteration to the site's URL. The data can be viewed in a matter of seconds by a registered VEP holder.


ST alerted the Malaysian authorities to the data loophole at around noon on Friday (26 April). As of 4:30pm on Friday, the ST team was still able to access the website and look at other motorists' details. But at about 5:00pm, access to the website was blocked, with a message alerting users that maintenance was ongoing.
Malaysia's Transport Ministry had announced on Thursday that the VEP scheme will be enforced in phases. The first phase is for foreign vehicles entering the country from Singapore through the Causeway and Second Link, and will start on 1 Oct. The second phase will involve entry points between Malaysia and Thailand, and the third phase at all entry points to Malaysia from Brunei as well as from Indonesia.


The same information could also be used for shady purposes. Added Mr. Rajan, "If the information falls into the wrong hands, some may fall victim to loan scams and other types of scams. The harassment would continue because people who acquire the information can sell the data to others."
Experts said that it is possible that the data has been accessed by external parties. Mr. Aloysius Cheang, Asia-Pacific Executive Vice President of the Centre for Strategic Cyberspace + Security Science, a London-based think-tank, said the loss of such details could facilitate fraud, as personal details such as residential addresses can no longer be an effective security measure to verify someone's identity. He said of the error on the VEP site, "This is a very common programming error, it is a schoolboy mistake... You essentially have access to the entire database."
Mr. Andrew Tsonchev, Director of Technology at cyber-security firm Darktrace, said such vulnerabilities could be introduced during a website update. He added, "If it's just passwords (that are compromised), you can change that, but with identification numbers and passports there is not much you can change. It leaves the people involved quite powerless."
One of the affected motorists contacted, who only wanted to be known as Shahrin, said he had registered for the VEP about two years ago. The bus driver, 37, said, "Now I am worried because people may misuse my particulars, such as giving my details instead of their own when they get fines."
Malaysia-based lawyer Foong Cheng Leong, who specialises in data protection laws, told ST that Malaysia's Personal Data Protection Act would not be applicable in this case as the law does not apply to government agencies. "There would be no recourse against the Government unless there is a breach of contract. But the data subjects may still sue for negligence," he said.
Mr. Lee Wai Mun, the Chief Executive of the Automobile Association of Singapore, told ST he was surprised that confidential information could be easily accessed. His advice to motorists is to wait for the Malaysian authorities to sort the matter out before signing up for the VEP. He said, "Most of us visit Malaysia on a social basis, except those who travel there for business. There's plenty of time to register (for the VEP) as the enforcement of registration will only start from October."
Latest COE Prices
May 2025 | 1st BIDDING
NEXT TENDER: 21 May 2025
CAT A$103,009
CAT B$119,890
CAT C$62,590
CAT E$118,889
View Full Results Thank You For Your Subscription.