BNM instructs iPay88 to further strengthen cyber security controls following data breach incident earlier in the year

• Directs banks & card issuers to keep high vigilance over activities of cards
• Public reminded under existing payment card rules, customers not liable

In a press release today, Bank Negara Malaysia (Bank Negara) said that following the completion of the independent forensic investigation, iPay88, a provider of payment gateway services to banks and merchants, has taken the necessary containment and rectification measures to address gaps that were identified.

A successful Malaysian startup that built a regional business, iPay88 is owned by Japan’s NTT Data that took a majority stake in it via NTT Data Asia Pte Ltd in September 2015.

In addition, BNM has also instructed iPay88 to undertake additional measures to further strengthen its cyber security controls and IT infrastructure. These measures are aimed at ensuring that similar incidents do not recur in the future and to safeguard against future threats. BNM will continue to closely monitor iPay88’s implementation of these measures and where appropriate, will undertake further supervisory or enforcement action.

Bank Negara’s statement follows on the heels of its initial response on 12 Aug to the potential iPay88 data breach incident announced by the fintech on 11 Aug where it confirmed a possible cyber security incident affecting user card data involving its online payment portal users.

iPay88 never publicly disclosed the actual period when the breach happened only saying that since May 31 it had utilised cyber security experts to curb the potential breach and that “the process of blocking was successfully completed and no suspicious activities were detected since July 20.”

Bank Negara in its statement the next day, 12 Aug, sought to reassure the public that the breach originated from and was confined to iPay88’s payment card systems and did not involve vulnerabilities in the country’s banks’ systems. 

Meanwhile in its own press release today, iPay88 said that the cybersecurity breach was the product of a sophisticated intrusion by an unidentified party or parties. It acknowledged its responsibility to protect card information and “respectfully apologize to the Malaysian public, our business partners, and merchants for this incident.”

As it did in its Aug statement, Bank Negara today emphasised that it has directed banks and card issuers to maintain heightened vigilance over activities of cards that may be at risk, reassuring the public that Malaysia’s banking and payment systems remain safe and secure. It said customers will be contacted if any suspicious activity is detected through the monitoring activities of their banks or card issuers.

The central bank also reminded the public that under existing payment card rules, customers will not be liable for any fraudulent or unauthorised transactions, as long as customers have taken reasonable precautions to safeguard their payment cards.

For further information, the public is urged to refer to the Credit Card Policy Document and Debit Card Policy Document.

Bank customers are advised to immediately notify their banks if they observe any irregular or unauthorised card transactions.

For further enquiries or complaints, Bank Negara urges members of the public to contact BNMTELELINK at 1-300-88-5465 or eLink.