Petaling Jaya MP Lee Chean Chung has intensified pressure on the Selangor government to provide full transparency regarding a cyberattack that compromised the Selangor Intelligent Parking service, arguing that citizens deserve comprehensive answers about the security breach and its consequences.
In a statement issued on Friday, Lee outlined the critical information gaps that must be addressed, including the underlying causes that enabled the breach to occur, the extent to which personal data belonging to motorists and other users may have been exposed, potential financial losses incurred by the state government, and the specific remedial measures now being implemented to prevent recurrence. The MP's intervention reflects growing public anxiety about data security in government-managed digital systems and raises fundamental questions about oversight mechanisms in Selangor.
Should the state government fail to voluntarily provide the requisite transparency, Lee suggested escalating the matter through formal channels by requesting the Selangor Select Committee on Competency, Accountability and Transparency to conduct a public hearing. This procedural step would compel officials to testify under parliamentary scrutiny and provide detailed accounts of the incident, its investigation, and preventive measures—a mechanism designed to ensure elected representatives can properly discharge their accountability function to constituents.
The cyberattack has reignited longstanding concerns about the vulnerability of citizens' personal information within state-administered digital infrastructure. The exposure of data such as vehicle registration details, payment card information, or location history linked to parking transactions could expose users to identity theft, financial fraud, and invasive surveillance. For Malaysia, where digital literacy remains uneven across the population, such breaches undermine public confidence in government services and create hesitation about adopting e-governance platforms.
Lee's critique extends beyond the immediate security incident to challenge the underlying governance model underpinning the Selangor Intelligent Parking system. The MP has previously raised objections to the privatisation of what he characterises as essential public digital infrastructure, particularly the arrangement whereby private concessionaires retain half of all parking revenue collected. This financial incentive structure, he argues, prioritises profit extraction over service reliability and public interest, potentially creating cost-cutting pressures that compromise security investments.
The MP's earlier intervention in July 2025 had called for an immediate suspension of the SIP system pending a comprehensive policy review and framework overhaul. At that time, Lee highlighted the fundamental misalignment between Selangor's approach and the broader federal government strategy of building domestic digital capacity. The Federal Government's establishment of GovTech was explicitly designed to strengthen in-house technological capabilities within the public sector, reduce reliance on external commercial vendors, and eliminate data fragmentation across government agencies—a coherent vision for digital sovereignty and institutional resilience.
Conversely, Selangor's continued pursuit of the SIP model through partnerships with private operators effectively outsources core parking management and system operations to commercial entities. This approach concentrates control of critical infrastructure and sensitive citizen data in private hands, creating dependencies on external vendors and exposing the government to contractual vulnerabilities and commercial pressures. The arrangement also perpetuates data silos by segregating parking information within proprietary systems rather than integrating it into unified government databases subject to consistent security standards.
For Malaysian observers, this tension between public and private management of digital infrastructure carries broader implications. As government services increasingly migrate online, decisions about whether to build capability internally or contract with private providers shape long-term resilience, security posture, and institutional autonomy. The cyberattack on the Selangor system serves as a concrete demonstration of the risks embedded in fragmented, vendor-dependent architectures—risks that become especially acute when the systems in question handle personal data from millions of ordinary citizens.
Lee's framing emphasizes an essential principle: when government requests that citizens entrust personal information and daily transactions to digital systems, the state assumes a fiduciary duty to safeguard that information with rigorous security practices and institutional commitment. Outsourcing this responsibility to profit-driven private operators creates an inherent conflict of interest, as commercial entities may prioritise cost minimisation over security investment, and shareholder returns over public protection. The privatisation model thus inverts the accountability relationship, shifting responsibility from publicly-elected officials answerable to constituents toward commercial contractors answerable primarily to investors.
The Selangor incident exemplifies broader questions about digital governance that Southeast Asian governments increasingly confront. As countries across the region develop smart city and digital public services initiatives, the choices made about public versus private provision, in-house versus outsourced capacity, and centralised versus fragmented architectures will determine whether citizens' data remains secure and whether governments maintain genuine control over their technological futures. Lee's call for transparency and his critique of the privatisation model articulate a growing consensus that such decisions warrant intensive public scrutiny and democratic deliberation.
Moving forward, the investigation into the parking system breach should address not merely the technical details of the attack but also the governance structures that permitted it. This requires examining whether the private operator's contractual obligations included adequate security standards, whether auditing mechanisms existed to verify compliance, and whether the state government maintained sufficient oversight capacity to detect and respond to threats. The answers will reveal whether the current model adequately protects citizens or requires fundamental restructuring toward greater public control and in-house capacity.
The incident also underscores the importance of Malaysia developing robust national standards for cybersecurity in government-administered systems, coupled with transparent incident reporting requirements and public accountability mechanisms. Without such frameworks, individual breaches become missed opportunities for systemic learning and improvement. With proper transparency and accountability structures, they become catalysts for stronger protection of citizen data and more prudent governance of public digital infrastructure across the country.
