By Dr Rahim Said
For years, cybersecurity experts have comforted business owners with assurances that our digital fortresses are impenetrable.
They love phrases like “bank-grade security” and “multi-layered firewalls,” delivered with the calm confidence of people who have never personally had RM200 million evaporate from under their noses.
Yet here we are. Sin Chew Daily has now exposed what may be one of Malaysia’s most embarrassing cyber-heists: a government-linked financial institution, allegedly hacked so cleanly and so quietly that the thieves walked away with RM200 million in neatly laundered batches, and nobody noticed until it was long gone.
It is the kind of incident that confirms every sceptic’s suspicion that our so-called digital protections might be just decorative barriers, like putting a padlock on a glass door and hoping for the best.
According to insiders, the hackers not only breached the bank’s internal systems, they did it with finesse. They transferred the funds out in stages, used professional launderers to mask the trail, and kept themselves so digitally invisible that even Bukit Aman’s elite units are now poring over empty logs and ghost entries.
The police, Commercial Crime Investigation Department, Narcotics Crime Department, and the AMLA task force have all been thrown into the hunt, forming a task force — usually reserved for drug cartels or money-laundering kingpins, not a supposedly impenetrable bank quietly bleeding money.
CCID’s director politely declines to comment, which in Malaysia is code for “the situation is worse than we want to admit.”
But this incident exposes something deeper than one bank’s embarrassment. It reveals a national habit: we treat cybersecurity as a box to tick, a certificate to display, a password to recycle from 2012.
Firewalls become comforting myths rather than actual barriers, and every breach is met with the same ritualistic script — “we take this seriously,” “we are strengthening security,” “an internal investigation is underway” — as though words themselves can patch vulnerabilities that hackers have already danced through like a pasar malam crowd browsing stalls.
Malaysia, as always, believes in the power of “tak apa.” We assume nothing bad will happen, until it does, and usually in spectacular fashion. Our digital systems often receive updates as frequently as public buses on public holidays, and when something finally goes wrong, it is explained away as an “incident,” as though RM200 million simply decided to take a holiday and forgot to inform the bank.
The silence surrounding this incident is louder than any alarm bell. When everyone is investigating but nobody is talking, Malaysians know instinctively where the truth lies.
The situation is “extremely serious and highly sensitive,” insiders say, while the public statement maintains that everything is perfectly normal. It is the familiar dual reality we have come to recognise: one version for the public, another for those scrambling behind the scenes.
Ultimately, this cyber-heist forces us to confront an uncomfortable truth: the cost of cybercrime in Malaysia has officially surpassed the cost of prevention.
We can continue pretending our firewalls are magical shields that keep out digital intruders, or we can finally admit that cybersecurity must be treated as critical national infrastructure, not an optional budget item squeezed between office renovations and new swivel chairs.
Because if RM200 million can quietly slip through the digital cracks of a major bank, then the rest of us should take no comfort at all in assurances about “robust protections.”
The truth is painfully clear — our firewalls are not walls at all. They are more like decorative fences, impressive from afar but trivial for thieves who know exactly where the gaps are.
Yet, we are told once again: everything is fine. Which, in Malaysia, is usually the clearest sign that it isn’t.
The views expressed here are entirely those of the writer
WE