What the 24 April 2025 Bursa Hack Means for Every Malaysian SME
What Happened on 24 April 2025
Hackers slipped into brokerage firms’ systems then hijacked ordinary trading accounts. Within minutes Bina Puri warrants doubled in price while Pos Malaysia shares spiked to abnormal highs. Brokers froze trading and forced mass password resets. Regulators later confirmed the intrusion began inside brokerage infrastructure rather than on investors’ devices.
Why the Personal Data Protection (Amendment) Act 2024 Matters More Than Price Swings
Key Legal Changes Every Business Must Prepare For:
- Tougher Penalties – Effective 01 April 2025
The maximum penalty for non-compliance has increased from RM300,000 to RM1 million, and the imprisonment term extended from 2 years to 3 years. These stricter penalties reflect heightened focus on data protection enforcement. - Mandatory Appointment of Data Protection Officer (DPO) & Mandatory Breach Notification – Effective 01 June 2025
Section 12A requires data controller to appoint at least one Data Protection Officer (DPO). This role may be fulfilled internally or outsourced to a qualified third party. View appointment and responsibilities of DPO.
Section 12B and the Data Breach Notification Guidelines compel mandatory data breach to be reported to the Commissioner within 72-hours and require notification to affected Data Subjects without unnecessary delay and in any event no later than 7 days.
A data controller who fails to report to the Commissioner shall on conviction be liable to fine not exceeding RM250,000 and/or imprisonment for a term not exceeding 2 years.
How Breach Notification Hits Businesses
A breach is no longer limited to sophisticated hackers. A courier label printed with names, addresses and phone numbers delivered to the wrong hands, or an unencrypted USB drive left in a taxi or a stolen WhatsApp backup all trigger the same 72-hours clock. Liability sits with the proprietor even when the fault lies with a cloud provider or point-of-sale vendor. When regulators investigate they open with two questions. How fast did you discover the breach? What did you do in the first twenty-four hours?
Quick Compliance Wins
Insert a contract clause that forces every third party service providers / data processors to alert you immediately they detect suspicious activity because your timer starts when they know. Failure to receive timely alerts could cause you to miss the 72-hours reporting window, triggering an offence under the PDPA. Create a simple data map that shows where personal data (such as customer and employee details) live. Activate multi-factor authentication on email accounts, accounting software and point-of-sale systems. Shred or archive personal data older than seven years unless other law requires retention. Appoint a Data Protection Officer (DPO) without delay and review your current data protection policies and standard operating procedures for compliance gaps.
How Sherlene Lai & Co. Can Help
My sole-proprietorship practice, part of the JUSTLaw network, help businesses navigate the requirements of the PDPA, assist with negotiating data processor indemnities and conducts half-day drills so staff can spot phishing attempts and act without panic. My clients range from two-person design studios to retailers with tens of thousands of loyalty members. A ready-to-file notification template and a clear incident checklist save precious hours when the clock starts ticking.
Book a complimentary twenty-minute review call. One conversation today can prevent an expensive headline tomorrow.