Telecommunication companies, banks, insurance companies and utility companies should implement stringent controls to prevent customers’ personal data being divulged to unscrupulous third parties.

Criminologist Assoc Prof Datuk Dr P. Sundramoorthy said such entities must carry out “periodical audits” on authorised users in their entities who have access to customers’ data.

“No one user should have unlimited access and their privileges should be reviewed from time to time,” said Sundramoorthy.

His views come following the recent arrest of three company directors by the Malaysian Anti-Corruption Commission (MACC) for allegedly giving millions of ringgit to telecommunication company officials to reveal customer details.

The personal information of the customers were allegedly obtained to conduct SMS fraud by content provider syndicates.

Sundramoorthy said companies must lodge police reports when employees misuse confidential information of customers, including selling the numbers to third parties.

“It has been going on for decades. But corporations tend to not lodge police reports as they don’t want to look bad in the eyes of their customers and potential customers,” he said.

“These institutions must have proper teams dealing with personal data. If there are weaknesses and negligence in preventing leaks, these institutions should be held responsible.”

Drawing an analogy to the Macau Scam, where those who were duped had a lot of savings, Sundramoorthy said a fool-proof system must be in place to find out if personal data was being hacked or sold.

“The police, MACC and the Malaysian Communications and Multimedia Commission must utilise more agent provocateurs. It is not impossible or challenging to detect the perpetrators,” he said.

On the effectiveness of the Personal Data Protection Act which regulates the processing of personal data in commercial transactions, Sundramoorthy said: “It boils down to integrity and ethics … these two elements are not prevalent in our work culture.

“If the players involved are not practising and implementing what is required of them, you can have any amount of laws and it will be useless.”

This article first appeared on TwentyTwo13.