The health ministry has been advised to conduct an assessment of the security levels of the MySejahtera and MyVAS applications as a whole and make security enhancements to their respective systems and data.
According to the Auditor-General's Report for the Year 2021 Series 2 released today, this is to overcome weaknesses in the user account management for administrative and data matters, as well as data security that could invite the risk of account abuse.
The report said that one super admin account had downloaded the private information of three million vaccine recipients from the MySejahtera application by using various internet protocol addresses.
"The health ministry must ensure that the management of MySejahtera and MyVAS user accounts is implemented according to the ministry’s information and communications security policies.
"The ministry must conduct data housekeeping to ensure that the data is always available, complete and reliable," it said.
Other examples of weaknesses listed in the report included an instance in which 3.89 million records were uploaded more than a day after the individuals were vaccinated, 1.12 million cyber-attack attempts on MySejahtera from Oct 27, 2021, and 28,735 vaccination records showing individuals receiving the vaccine after the vaccination centres had been closed.
It also noted how 1,657 individuals had more than one MySJ ID while 1,543 individuals had between two and seven accounts involving 3,108 active MySJ IDs with their identities verified and having received vaccines.
"Agencies need to refer to the finance ministry for urgent and immediate procurement or payment to avoid any violation of the regulations in force," the report read.