iPay88 now claims POS, QR and eWallet transactions not affected in its data breach

Last week, Malaysian payment gateway platform iPay88 reported that they were the victim of a “cybersecurity incident”, which is quite worrying considering that they’re one of the biggest point-of-sale solutions provider in the region. However, their statement was scarce of details over how many users were actually affected, and also came months after the incident occurred.

Since then, we’ve been informed that the data breach suffered by iPay88 apparently did not include card transactions through point-of-sale (POS) machines, nor did it affect transactions through Android terminals, eWallet and QR payments as well as online banking, buy-now-pay-later and batch card payment methods. This likely means that the payment methods affected include just online transactions via a credit, debit or prepaid card.

Here’s the full statement from an iPay88 representative to one of their clients, a POS system provider:

“We are sorry for any inconvenience caused and we thank you for your continued support. We would like to share more information with you to help you manage any queries you might be receiving from your customers.

Card transactions through the Android terminal, as well as transactions through e-wallet and QR payment, online banking, BNPL, vending machines, Point Of Sale (POS) and batch card payment, were not affected. Please be assured that payments are processed through iPay88 safely.

If your customers have any queries regarding their cards, you may suggest they refer to their bank,” – iPay88

This came to light after the POS system provider got in touch with us to claim that their POS terminals were not involved in the iPay88 cybersecurity incident. Instead, they say that only online payment methods under ‘card’ were affected; this was not mentioned in the original iPay88 media statement. We then asked them to provide us more details about this claim, which they did by forwarding us an email from an iPay88 representative which included the aforementioned statement.

However, we did notice some irregularities with their response. First off, the POS system provider got in touch with us at 1.39pm, 13 August 2022. We replied to them stating that the iPay88 statement didn’t mention what they were claiming, and asked for more details at 10.13pm, 13 August 2022. The POS system provider then forwarded us the email from the iPay88 representative at 9.39am, 15 August 2022. However, the email from iPay88 with the statement was only sent to the POS system provider at 11.28pm, 13 August 2022.

Nevertheless, in light of these new details, we’ve since gotten in touch with an iPay88 representative, though they’ve since declined to provide further clarification over the matter. They also declined to reveal the number of people affected by the data breach. We will however provide more updates if and when we have them. In the meantime, investigation into the matter is still ongoing, but Bank Negara Malaysia has already instructed banks to notify affected cardholders.