Malaysian payment gateway platform iPay88 suffers data leak, card data may be compromised

If you typically use contactless payment methods, chances are that you’ve used iPay88 even without realising it. iPay88 is one of Malaysia’s biggest payment gateway platforms, providing point-of-sale solutions for plenty of merchants throughout Malaysia and the region.

As such, it’s understandably quite worrying to know then that iPay88 has suffered a cybersecurity breach, and that customer card data may have been compromised. They then state that, once they had found out about the issue on 31 May, they began investigating it and got cybersecurity experts to deal with the matter. iPay88 also stated that there’s been no further suspicious activity since 20 July, and that there’s new measures in place to prevent further incidents. On top of that, they’re already working together with the authorities over the issue too.

Among the major companies listed as iPay88 merchants include Shopee, KK Mart, Senheng, SenQ, Nandos, Machines, and more.

Here’s their statement in full:

“iPay88 would like to report that there was a cybersecurity incident where card data may have been potentially compromised.

Upon discovery of the issue, we immediately initiated an investigation on 31 May 2022 and brought in cybersecurity experts to contain the issue. The containment process was successfully completed and no further suspicious activity has been detected since 20 July 2022.

To ensure the continued safety of the card data, we have implemented various new measures and controls to strengthen the system’s security against any further incidents. The investigation is currently ongoing and we are working closely with the authorities and relevant parties on this matter. More updates and detailed findings will be shared in due course.

All financial institution partners have been informed and kept up to date. We will continue to monitor the situation closely and ensure the safety of the cardholder data,” – iPay88 statement

However, their statement has raised more questions than answers. For starters, iPay88’s statement did not reveal just how many customers and merchants were affected by this data breach. Furthermore, Lembah Pantai MP Fahmi Fadzil also wants to know why, despite having known of the breach back in May, did it take iPay88 this long to make the matter public. Furthermore, despite knowing of a data breach happening at least some time in May and lasting till July, they were still organising events, campaigns and promotions, such as partnering with Atome and taking part at the PJ Startup Festival 2022 while customers remained in the dark.

iPay88 was first founded back in 2000 in Malaysia by Chan Kok Long, Lim Kok Hing and Chong Lee Kean. They have a presence in seven countries across the continent, and would be acquired by NTT Data, a Japanese system integration company, in 2015.