Bersatu has urged authorities to investigate how the personal data of millions of Selangor residents was used without their consent to sign them up for an insurance scheme through a private company, describing recent revelations as "a whole series of criminal acts" under the Financial Services Act (FSA).
The party's legal bureau also questioned the manner in which the data was used after it was obtained from the Election Commission, as admitted by Selangor Menteri Besar Amirudin Shari following a public outcry that arose after individuals found out their names were enlisted for the Skim Insurans Hayat Selangor (Insan) by a private company appointed to manage the programme.
"The implementation of the scheme is highly suspect and riddled with illegality," said Sasha Lyna Abdul Latif, deputy chairman of Bersatu's legal and constitutional bureau, in a statement today.
"The authorities must investigate the clear breaches of the FSA and take prosecution action no matter who or how high the position of those responsible," she added.
She questioned Amirudin's claim that the company, Wavpay Fintech Holding Sdn Bhd, was owned by the Selangor government even though the state only has a 49% stake.
"How can anyone be sure that the data is not shared for other projects since the e-wallet payment gateway was also awarded to the same company? And it was also exposed that the company to which this RM 21.6 million project was awarded also has ties with companies that deal with money lenders," she said.
Earlier, MalaysiaNow's checks with the Companies Commission (SSM) showed a web of ownership in Wavpay Fintech Holding, with it being 51%-owned by CT Frank Technology (M) Sdn Bhd and 49% by state-owned Selangor E-Wallet Sdn Bhd.
More startling is the fact that among the company's main business activities is "credit granting", with an SSM entry stating "other financial service activities except insurance/takaful and pension funding".
Further scrutiny of the owners revealed individual stakeholders with addresses in Penang.
The personal data breach was first realised after pro-Pakatan Harapan cybertroopers shared screenshots showing the details of opposition-leaning influencers for the Insan programme, in an effort to demonstrate that they had been reaping the benefits of the state's free insurance policy.
But the move backfired when the influencers said they had never signed up for the scheme, let alone given their personal details.
Concern soon spread on social media over the use of personal particulars, with many attempting to check if they, too, were listed on the Insan scheme through its website, www.programinsan.com.
As outrage over the personal data breach spread, the website became inaccessible but was back online yesterday with a new message saying that the public can now activate their free insurance policy through an app or their state assemblyman's service centre.
Amirudin had earlier denied claims of a data breach, saying the insurance policy still needed to be activated by people whose details were published.
This was despite certificates already issued to millions of users who found out that the insurance policy was activated late last year, with some due for expiry.
"This was clearly an afterthought after its website and system were jammed when people were trying to check whether they were also victims of this scandal.
"The Selangor government and the MB must stop evading the main issues and give a clear explanation to the questions swirling around this insurance scheme. Silence is not an option," said Sasha.
A series of criminal offences
Sasha listed a few examples of crimes committed under FSA in the episode, adding that a bigger question is how the insurance company obtained the private and personal details of Selangor residents.
She said under Section 2 of the FSA, an insurance contract is entered into upon the issuance of the policy, whether or not a formal contract has been issued.
She said Schedule 8 of the same act states that a disclosure requirement must be adhered to before entering an insurance contract or group policy, including the name of the licensed insurer, the relationship of the licensed insurer with the person offering the policy, the conditions of the group policy, and the premium charged by the licensed insurer.
Meanwhile, Schedule 9 bars licensed insurers or brokers from making misleading, false, or deceptive statements in order to induce a person to enter into an insurance contract, she added.
She said FSA clearly states that the person entering into an insurance contract must know and accept the contract as well as the identity of the insurance company, failing which an offence is committed that could be liable to imprisonment not exceeding five years, a fine of RM10 million, or both.
"Since the policy had already been issued to all the voters of Selangor without their knowledge, all the pre-contractual disclosures were not adhered to, and it was also done without any offer or acceptance of the insurance contract.
"The insurance scheme was never announced, and the policyholders were never given the option to be offered the insurance scheme, let alone accept the offer.
"In short, a whole series of criminal acts in breach of the FSA have been committed. This is shocking, as it is a Selangor government initiative," Sasha said.