29/01/2026

THURSDAY | JAN 29, 2026

5

‘Data leaks may be more widespread than believed’

Alleged organised crime group members charged

PETALING JAYA: Three alleged members of organised crime syndicate Captain Praba were charged yesterday after being flown back to Malaysia from India under tight police escort earlier in the day. Thirty-eight-year-old Navindren Raj Cumarason, 30-year-old Pratifkumar Selvaraj and 30-year-old Sridharan Subramaniam were taken to the Sepang Court Complex at 2.30pm and presented before Sessions Court Judge Ahmad Fuad Othman. They are accused of committing an offence under Section 130V(1) of the Penal Code for being members of an organised criminal group. According to the charge, the trio were allegedly involved in the syndicate’s activities at an oil palm plantation site in Jenjarom, Selangor between December 2023 and Sept 11 last year. The charge was read out in Tamil by an interpreter. They indicated that they understood the charge but no plea was recorded as the offence falls under the jurisdiction of the High Court. Ahmad Fuad then allowed the case to be transferred to the Shah Alam High Court for further proceedings. Upon conviction, the offence carries a mandatory prison sentence of between five and 20 years. Police reports indicate that the trio had earlier been deported from the United Kingdom and detained in Mumbai before being brought back to Malaysia. They arrived at KL International Airport and were taken to the Sepang district police headquarters for documentation before being escorted to the court complex. In a statement issued at 3pm yesterday, Bukit Aman Criminal Investigation Department director Datuk M. Kumar said the arrests were carried out under Ops Jack Sparrow, based on warrants issued by the Sepang Sessions Court on Jan 14. He said probes are ongoing to gather further evidence on the syndicate’s wider network. “Police appreciate the Indian authorities for the close cooperation given,” he said, adding that police remain committed to upholding the rule of law to safeguard national security and public wellbeing. Authorities previously detained 17 other suspected members in coordinated multi-state raids under the same operation last year. Investigations into the syndicate date back to 2023, with earlier reports linking the group to violent incidents in Taman Sentosa, Klang and a killing in Brickfields. Key figures in the group had been placed on international watchlists prior to their arrests overseas. – BY FAIZ RUZMAN Two-year-old dies after being left in car SEREMBAN: A two-year-old boy was found dead after being left in a car by his mother in Jalan Tunku Hassan here on Tuesday. Seremban district police chief ACP Azahar Abdul Rahim said police received a MERS 999 call at 6.15pm about the boy’s death and preliminary investigations revealed that he was found unconscious in a car after he was left by his 35-year-old mother at 8am as she went to work at a nearby bank. “The victim’s mother is said to have forgotten to send her child to daycare and only realised what had happened at 5pm when she finished work.” Azahar said the boy was pronounced dead by a medical team at the Tuanku Ja’afar Hospital before being sent to the Rembau Hospital for an autopsy to determine the cause of death. The case is being investigated under Section 31(1)(a) of the Child Act 2001 and the mother has been arrested to facilitate investigations, he said. – Bernama

o Certain information cannot be easily changed, so criminals can reuse them repeatedly for scams and phishing: Specialist

Ű BY FAIZ RUZMAN newsdesk@thesundaily.com

RM542 million in online scam losses in 2025, with RM6.7 million successfully returned to victims, according to the Home Ministry’s written parliamentary reply dated Tuesday. Home Minister Datuk Seri Saifuddin Nasution Ismail said the RM6.7 million refers strictly to cases in which investigations have been completed and the money returned to victims. “It is different from the total losses throughout 2025, which stands at RM542 million. That figure represents losses based on complaints lodged by victims and the data is what we have compiled.” He said authorities intercepted RM34 million before it moved through multiple transaction layers, but stressed that saving and returning are different because investigations are ongoing. From RM17.5 million seized, RM6.7 million has been fully returned to victims. “The money did not have the chance to PETALING JAYA: IT experts have said personal data leaks in Malaysia may be more widespread and longer-lasting than official figures suggest, following the Digital Ministry’s written parliamentary reply on Monday on recorded breach cases. Universiti Malaysia Pahang Al-Sultan Abdullah Computer Network and Cyber Security Department head Dr Syifak Izhar Hisham said the 535 recorded data breach cases under the Digital Ministry since 2022 do not reflect the true scale of intrusions. “Logically, the real number is higher than what is reported or detected. This happens everywhere, not only in Malaysia. “Leakage issues go undetected because of ‘Advanced Persistent Threats’, in which attackers are already inside the victim’s network by the time they are discovered. “Shadow IT, such as unmonitored browser usage, means organisations do not have full visibility over all their data assets. Attackers also carry out silent theft, in which they do not damage systems but quietly copy data.” She said statistics could understate the severity of exposure. “Usually, one major incident is counted as one case, but it can involve millions of data records. If you look at the dark web, a large amount of data is being leaked, but the number of cases does not reflect how critical the situation is. “When personal data is stolen, it is copied, stored and circulated within hacker communities. Information such as IC numbers and dates of birth cannot be easily changed, so criminals can reuse them repeatedly for scams, phishing and identity impersonation even years after the original breach,” she added. Universiti Teknologi Mara Institute for Big Data Analytics and AI director Prof Dr Jasni Mohamad Zain said the long-term danger lies in how leaked data is analysed

Jasni said leaks are difficult to reverse because data replication is irreversible once it propagates beyond the original system. – ADAM AMIR HAMZAH/THESUN

accounts, businesspeople at 7.5% and pensioners at 7%. “This profile helps us understand online crimes under e-financial categories, such as love scams, e-commerce scams, non-existent loans, non-existent investments and telecommunications-related crimes, so that investigative efficiency can be improved.” A total of 51 cases were reported, of which 20 have been charged in court, three were classified as no further action, seven were closed and kept in file, and 21 are under investigation. Section 424B has one case under investigation, Section 424C recorded 10 cases, all under investigation, and no reports or investigations were recorded under Section 424D as of the date of the reply. “If asked whether these figures are something to be proud of, certainly not. This performance serves as an indicator in cases of this nature.” – BY FAIZ RUZMAN “Breaches are treated as operational or technical issues to be resolved quietly. This ‘manage it internally’ approach is often driven by fear of scrutiny, uncertainty over reporting thresholds or a belief that the incident can be controlled without external involvement.” In a written Parliament reply to Datuk Seri Dr Ronald Kiandee (PN-Beluran), the Digital Ministry disclosed that 535 personal data breach cases were recorded between 2022 and 2025, with 314 under the Personal Data Protection Act 2010 and 221 outside its scope. The ministry said amendments to the Act now require organisations to appoint Data Protection Officers, notify regulators and affected individuals of breaches, and face higher penalties of up to RM1 million or imprisonment for non-compliance. leaks originating from third parties, such as vendors and service providers.” On why some incidents go unreported, he pointed to reputational fears and limited detection capabilities. “There is often a perception that public disclosure will cause more harm than the breach itself. Some organisations simply do not realise that a breach has occurred or they underestimate its severity.

move through layer after layer of transfers. For that, we used sections 424A, 424B and 424C (of the Penal Code).” He was replying to Yeo Bee Yin (PH-Puchong), who sought statistics on individuals charged or convicted under the newly introduced Penal Code subsections 424A to 424D targeting mule accounts, and the number of scam victims who recovered their money in 2024 and 2025. Sections 424A to 424D of the Penal Code target the misuse and control of bank accounts and payment instruments linked to mule accounts and scam activities. According to data presented, private sector workers made up the largest group of scam victims. “Based on the profiles we compiled, the private sector recorded the highest number of victims, followed by the government sector at about 8%, students at 8%, most of whom provided their accounts to be used as mule and reused. “Seemingly innocuous attributes, such as an email or postcode, could act as linking keys. Multiple partial datasets could be merged to form rich, detailed personal profiles. “Each additional dataset enhances feature richness, predictive accuracy and contextual understanding of the individual. In effect, personal data behaves like a persistent digital footprint, not a consumable asset.” She said the impact of a breach does not end once accounts are secured. “From a data science perspective, data leaks are difficult to reverse because data replication is irreversible once it propagates beyond the original system. Even after users change passwords or phone numbers, leaked data could support identity-verification bypasses and long-term profiling.” Universiti Tun Hussein Onn Malaysia IT security system specialist Dr Zubaile Abdullah said the 535 cases recorded should not be seen as a full picture of the country’s data security posture. “Many data breaches take place quietly, whether through undetected account compromises, intrusions that are only discovered after the data has been sold, or

RM6.7 million returned to online scam victims PETALING JAYA: Malaysia recorded