Storm over Selangor insurance scheme heads towards scandal as questions raised over personal data breach

The Selangor government led by Menteri Besar Amirudin Shari may be heading towards a massive data breach scandal involving a free insurance scheme for the public, as people question how their personal particulars including MyKad number and home address were used without their consent as required by privacy laws.

The revelation was made by a group of social media influencers critical of Pakatan Harapan late Tuesday evening.

Several screenshots showing them as policyholders of Insurans Hayat Selangor (Insan) were shared online in an effort to demonstrate that they had been reaping the benefits of the government's free insurance policy.

But the move backfired when the influencers said they had never signed up for the scheme, let alone given their personal details.

Concern soon spread on social media over the use of personal particulars, with many attempting to check if they, too, were listed on the Insan scheme through its website, www.programinsan.com. 

By yesterday, the website was inaccessible, believed to be due to a spike in web traffic.

As of press time, meanwhile, the website had been suspended, leading to more suspicions.

Yesterday, Amirudin admitted that the personal data of Selangor residents were taken from the Election Commission, saying they were used to enrol them for the scheme.

Amirudin however played down concerns of a data breach, saying the enrolment was a "pre-registration" where individuals needed to activate the insurance policy.

But checks on the website raised questions about his claim, with many finding that their policies had already been activated and some even due for expiry. 

"I have four children who are young voters in Selangor. I checked yesterday that their names were registered. There is a commencement date and expiry date. It's already a policy. Not pre-registration," activist Dr Rafidah Hanim Mokhtar said on Facebook.

She was among many who expressed shock that their details such as address and identity card number were printed on insurance certificates without their consent.

At the heart of the controversy is Wavpay Fintech Holding Sdn Bhd, a private company listed as the master policyholder for Insan. 

Checks with the Companies Commission of Malaysia (SSM) showed that the company is 51%-owned by CT Frank Technology (M) Sdn Bhd, with the remaining 49% held by state-owned Selangor E-Wallet Sdn Bhd. 

This has led to questions over how personal data can be transferred to a non-government entity, in violation of the Personal Data Protection Act.

More startling is the fact that among the company's main business activities, as listed with SSM, is "credit granting". The SSM entry also noted "other financial service activities except insurance/takaful and pension funding".

Further scrutiny of CT Frank Technology revealed a web of ownership with addresses in Penang. The company is majority-owned by Dynamic Frank Sdn Bhd, as well as Tan Siew Ming and Tan Chun Aik.

Dynamic Frank, meanwhile, is majority-owned by Global Frank Sdn Bhd as well as another individual, Tan Cheai Peng, who has a Penang address.

Global Frank in turn, which also has a Penang address, is owned by four other individual shareholders, three of whom are from Penang and the other from Perak.

Wavpay Fintech Holding is linked to WavPay System Sdn Bhd, a company which was already embroiled in another problematic deal with the state government to develop an e-wallet application.

Last year, Gombak Setia assemblyman Hilman Idham urged the Selangor government to explain an investment of RM10 million in WavPay System despite the company facing accumulated losses of RM4.7 million.

"What reasonable justification could there be for the state government to inject RM10 million into a company that has no assets and no income?" he asked during a debate in the Selangor assembly on July 29, 2022.