The trouble with MCMC’s ‘fake news’ crusade and the biggest personal data breach in our history

In late October 2017, news began to spread of what would eventually come to be known as the biggest personal data breach in Malaysia’s history – the customer data of more than 46 million consumers of mobile phone subscribers (Altel, Celcom, DiGi, Enabling Asia, Friendimobile, Maxis, MerchantTradeAsia, PLDT, RedTone, TuneTalk, Umobile and XOX), personal records from the Malaysian Medical Council, Malaysian Medical Association, Malaysian Dental Association,, and even records of organ donors and their next of kin from government hospitals and the National Transplant Resource Centres, and numerous other public and commercial websites.

In the months since then, the Malaysian Communications and Multimedia Commission (MCMC), instead of working to regain public confidence by handling this crisis by investigating and updating the public on efforts made to fortify data security, have been busy doing everything else: from continuing to arrest and prosecute those who ‘insulted’ the Prime Minister and other VVIPs, investigating The Malaysian Insight over its editorial titled ‘A Sham of an RCI’, and obsessed over and exaggerated the threat of ‘fake news’.

Yet, on the matter of the data breach, MCMC have been a dumpster fire, chosen to keep quiet – their silence all the more shocking given the revelation that the breached motherlode of personal data from the telecommunications companies were, in fact, from or caused by MCMC’s own phone blocking system, outsourced and run by a little-known company named Nuemera Sdn Bhd.


The Scourge of ‘Fake News’

MCMC Chief Operating Officer Mazlan Ismail was recently in the news saying that the current punishments under section 233(1) of the Communications and Multimedia Act 1998, commonly used to target allegedly ‘offensive’ social media messages are “insufficient”, and recommended that the fine and jail time for offenders be increased tenfold from the current fine of RM50,000 to RM500,000 and the jail sentence from one year to ten years.

Amidst this grandstanding, the hypocrisy of the then-BN/UMNO candidate for Permatang Pauh demanding harsher penalties for those guilty of spreading ‘fake news’ should be clear to all: this is the same Mazlan Ismail who in August 2013, had called a press conference and alleged Anwar Ibrahim had paid the late Karpal Singh over RM 50 million since 2008 to bribe judges and prosecutors.

This allegation, which Mazlan claimed he had received from some 6,000 anonymous letters, was then published widely by pro-government media including TV3 and Utusan Malaysia. Mazlan had in fact disseminated highly reckless and defamatory statements, not only about his political opponents but against judges and prosecutors, for which he is now being sued by Anwar. These mysterious 6,000 letters Mazlan allegedly received have never been produced, even during his ongoing defamation trial.

To so maliciously and outrageously slander the opposition (and in the process, the judges and prosecutors) some five years ago only to turn around and demand those guilty of spreading ‘fake news’ be punished even more severely than they are now is a truly shameless act. As a public servant heading the country’s regulator for communications and multimedia content, Mazlan should be an exemplar of the values of truth and integrity. Surely, the irony cannot be lost on MCMC that if they are adamant in insisting that the penalties for ‘fake news’ offenders be increased tenfold, then their COO Mazlan Ismail should be the first in line to be charged for ‘fake news’.


Sebenarnya, really?

Determined to continue milking the ‘fake news’ cow, MCMC also launched in May 2017, a ‘fact-checking’ website to purportedly verify local news. Besides the obvious futility of such an endeavour, one questions MCMC’s credibility as a fair arbiter of judging what is ‘true’ or ‘fake’ news in the country. A cursory examination of the various posts on the website all indicate information sourced from government agencies and pro-government news outlets; indeed, most of the news verified as ‘true’ leans in favour of the government in some shape or form.

More importantly, however, the fake news bogeyman is not the juggernaut that it has been made out to be. Recently, researchers at the University of Oxford and the Reuters Institute, in analysing the traffic on fake news websites in France and Italy, uncovered the fact that most fake news sites reached on average less than 1% of the online population, as opposed to mainstream media sites reaching anywhere between 22.3% in the former, and 50.9% in the latter[1].

If these patterns hold true for the rest of the world (and there is no reason to suggest otherwise), then it stands to reason that the clarion call to combat ‘fake news’ as a threat to national security or public order is an exaggeration in order to justify further restrictions in cyberspace. These exaggerated threats certainly do not merit the use of taxpayers’ money to create a website dedicated to government propaganda in the guise of fact-checking, and certainly not the various activities and roadshows, and even a smartphone application to promote

The money and time invested into this could just as easily have been utilised elsewhere, and for greater good. Tech enthusiast Keith Rozario recently published an expose detailing the abysmal cybersecurity conditions of official government websites – most, if not all of which are one hack away from becoming yet another disaster.

Instead of exaggerating the threat of ‘fake news’ and throwing their resources at what is in truth a minor problem in the today’s vast information and technology overload, MCMC should be looking at fortifying data security and saving the national embarrassments that are our government websites.


Nuemera Uno

The number one problem with MCMC seems to be that they have been sleeping on the one job they are supposed to be good at. There are many questions to be asked of MCMC’s handling of the data breach last year, and their continued silence merely points to their guilt with each passing day. Why was such a massive contract to run the Public Cellular Blocking Service (PCBS) with the confidentiality involved, outsourced to Nuemera Sdn Bhd, a dormant company (based on its profile with the Companies Commission, retrieved in November 2017) with no track record of any similar work? Given MCMC’s budget and role as national communications and multimedia regulator, surely a task such as this was not beyond their capabilities.

Information available online on Nuemera is sketchy, but what can be accessed certainly paints a shady picture. In August 2016, the government even obtained a court judgment against Nuemera in order to claim GST arrears of RM 889,000. That the PCBS contract was not awarded through an open tender process is merely another chapter in this mystery, and each layer tarnishes MCMC’s image further in this disaster.

There are more important things than ‘fake news’ for MCMC to be worrying about. The personal data of millions of Malaysians have been compromised from within, and the silence is deafening. The public demands answers and accountability – and MCMC seem to be able to offer neither.


By Eric Paulsen, Executive Director of Lawyers for Liberty


[1] Fletcher, Richard , Alessio Cornia, Lucas Graves, and Rasmus Kleis Nielsen. 2018. ‘Measuring the reach of “fake news” and online disinformation in Europe.’