MySejahtera responds to OTP and email spam issues, assures no user data was accessed

As reported today, several Malaysians have complained about receiving OTP SMS and random emails purported to be coming from MySejahtera. The team behind the national contact tracing app has issued a response on Twitter and assured that “no user data was accessed”.

It added that the random OTP SMS and emails were sent using randomly generated phone numbers and email IDs.

The Ministry of Health has issued a statement to provide clarity about the issue. Based on early investigations by the National Cyber Security Agency (NACSA), the spams were a result of the misuse of API and there’s no data breach on MySejahtera’s platform.

It explained that the MySejahtera check-in registration feature that was meant for business and premise owners to generate a QR code was misused by irresponsible parties to send out OTP codes. If a random phone number or email address matches, an OTP will be sent out via MySejahtera. Meanwhile, the “Need help?” feature on the website was also misused to send out random spam emails to individuals.

To prevent further misuse, the MySejahtera team is taking necessary actions to beef up the security of its app and website to prevent such incidents from happening again. The MySejahtera platform is managed by the Ministry of Health and the National Security Council.

The MySejahtera app is currently the default app to check in at premises and to show proof of vaccination. The app was developed as part of a corporate social responsibility (CSR) effort by KPISoft Sdn Bhd for a period of one year which expired on 31st March 2021. It was reported last month that the Malaysian government has yet to make payment to the company and it will discuss with several agencies to decide the amount and method of payment.

[ SOURCE ]