NEWS
Malaysia Flexi Parking Cyberattack Hits 64 Councils; Fahmi Calls NACSA
Malaysia’s Flexi Parking cyberattack has disabled digital parking payments across 64 local councils, prompting Fahmi Fadzil to consult NACSA.
A cyberattack on Malaysia’s Flexi Parking app has disabled digital parking payments across 64 local councils, leaving motorists unable to pay for street parking for two days running. Selangor state authorities confirmed the breach at a Tuesday briefing and ordered all 64 councils to hold off on issuing parking summonses while recovery work continues. On Thursday, Communications Minister Fahmi Fadzil said his ministry will consult the National Cyber Security Agency, known as NACSA, over the incident. The outage underscores how a single platform now sits in front of payments for dozens of municipal councils across multiple states.
The 64-council figure ties the Flexi Parking breach to municipalities well beyond Selangor. The app is operated by Leading Innovative Technologies And Systems Sdn Bhd, a Malaysian firm that has been folding local parking services into a single platform over recent months. Ng Suee Lim, the Selangor state chairman who oversees local councils, said the breach extended beyond Selangor to every authority using Flexi Parking.
Cyberattack on Flexi Parking Knocks Out Payments at 64 Councils
A cyberattack has crippled the Flexi Parking app across 64 local councils nationwide, leaving motorists unable to pay for their parking for the past two days. The disruption first surfaced on 30 June and extended into 1 July, with the Flexi Parking platform still offline as of Thursday’s federal response. Selangor state local government committee chairman Datuk Ng Suee Lim confirmed the breach at a press conference on Wednesday, framing it as a system-wide incident rather than a state-level problem. The 64 councils affected use Flexi Parking for on-street payments, off-street payments, and parking compound settlements. The app’s Facebook page acknowledged the disruption in a Tuesday update, telling users that system recovery works are still ongoing and that the app service remains unavailable at this time.
Ng told reporters after visiting the newly-opened Stadium Shah Alam LRT station that the system had been hacked and restoration was in progress. He said his team had asked every affected local council not to issue summonses for the two days the platform was offline. The Star reported that Ng said the breach ‘paralysed parking payment platforms across 64 local councils nationwide’ and forced an immediate shutdown of the Selangor Intelligent Parking, or SIP, system. The Star also said Ng described the disruption as one that ‘disabled digital parking payments for hundreds of thousands of motorists’ within Selangor and across other states using the same platform.

A Network Built on Centralization
Ng said the vulnerability did not originate with the Selangor Intelligent Parking concessionaire, Rantaian Mesra Sdn Bhd. The breach hit the centralized Flexi Parking platform that, by Ng’s account, recently took over the network to manage parking. The transition brought major Selangor cities, including Shah Alam, Subang Jaya, and Selayang, onto a single vendor’s stack alongside authorities in other states. Flexi Parking is operated by Leading Innovative Technologies And Systems Sdn Bhd, registered as the seller on the platform’s Flexi Parking’s mobile app product page. The vendor’s product entry described the platform as supporting more than 46 municipal councils across 9 states, a footprint that has since grown.
According to The Star, Ng stated the breach ‘targeted the centralised Flexi Parking platform which recently took over the network to manage parking.’ He stressed that the SIP private concessionaire was not the source of the vulnerability. Ng’s position was that the move to the nationwide Flexi Parking system itself triggered the disruption across the 64 councils.
The Star’s account describes the security breach as one that ‘struck over the last 48 hours.’ The disabling of digital parking payments for hundreds of thousands of motorists occurred both within Selangor and across several other states using the same platform. Ng said operations were suspended to protect user data integrity and to enable a forensic recovery process. The shutdown was precautionary rather than purely technical, in the chairman’s framing. Whether data was accessed during the breach has not been disclosed by the platform’s operator or by Selangor.
Ng told the press the system’s data and transaction logs were hacked, and that the incident extends well beyond Selangor. Flexi Parking’s own statements, posted to its Facebook page on Tuesday, used the phrase ‘unexpected service disruption.’ The official statement did not address whether any user data was accessed.
Fahmi Calls in NACSA
Communications Minister Fahmi Fadzil said on Thursday, July 2, that his ministry will consult NACSA over the cyberattack. The NST reported that Fahmi’s office has formally opened the federal review path through the National Cyber Security Agency.
NACSA is the lead government agency for cybersecurity under Malaysia’s National Security Council. Its statutory powers are spelled out in the Cyber Security Act 2024, which was gazetted on 26 June 2024. Per the NACSA page, the Prime Minister appoints 26 August 2024 as the date on which the Act comes into operation. The Act covers the management of cyber security threats and incidents related to National Critical Information Infrastructure, or NCII. NACSA outlines NACSA’s mandate under the Cyber Security Act 2024 on its own site, with broader roles coordinated through the agency including licensing for cybersecurity service providers.
The federal response is a Communications Ministry action; the operational outage sits with the platform and the local councils themselves. Selangor’s confirmation came from the state tourism and local government committee chairman, not from a federal agency. NACSA’s involvement does not by itself restart the platform, and any recovery timeline rests with the platform vendor.
What We Know About the Breach
Public statements on the Flexi Parking breach are still coming in as the platform remains offline. The clearest statements so far come from Selangor’s own committee chairman, who set a broad recovery window. He told reporters the system could be back online either today, tomorrow, or the following day. His statement put it directly.
There was a problem affecting transaction data and related systems. It was hacked.
Datuk Ng Suee Lim, Selangor state local government committee chairman, addressed reporters at the 1 July briefing. He confirmed that transaction data on the Flexi Parking platform was hacked. He also asked every affected local council not to issue parking summonses for the two days the platform was offline.
Separately, a group calling itself MelayuSpiritual has claimed responsibility for the breach on a public-facing page. The post described the attackers as obtaining root access to a Flexi Parking server. The same page claimed about 7 million user records sat in the database the attackers allegedly accessed. The exploit used, the attackers say, was SQL injection combined with an unauthenticated file upload vulnerability.
The 7 million figure remains an attacker claim rather than a confirmed count. The Gotchaa Lab cybersecurity blog noted that the company has not confirmed whether any data was actually copied. Public reporting on the technical details so far traces back to the attackers’ own message rather than a third-party forensic brief.
The breach mechanism described by the attackers, SQL injection combined with an unauthenticated file upload, represents a class of security flaw that security researchers have documented for decades. Specific server details in the attackers’ post, including claims about a legacy kernel build, have not been verified. Flexi Parking’s most recent official statement, on its Facebook page, focused on service restoration rather than on the attackers’ claims. The platform vendor has not provided a confirmed tally of exposed records, if any. Until a forensic review is published or NACSA issues findings, the public read of how the attack worked stays limited to attacker statements.
- 64 local councils nationwide using Flexi Parking for digital parking payments
- The breach struck over a 48-hour window, per The Star
- Hundreds of thousands of motorists affected across Selangor and other states
- About 7 million user records allegedly accessed by attackers (claim not verified by the platform)
- Flexi Parking’s pre-expansion footprint: more than 46 municipal councils across 9 states
Summonses Frozen, Alternative Apps Switched On
With the platform offline, several councils have moved to alternative payment arrangements and to a temporary pause on enforcement. Kuala Lumpur City Hall, or DBKL, told motorists to use EZ KL Smart Park, Setel, or MCash while the Flexi Parking service remains unavailable. Perbadanan Putrajaya told drivers at controlled parking locations to use Touch ‘n Go cards, debit cards, or credit cards instead. Port Dickson Municipal Council, or MPPD, suspended both parking payment services and parking enforcement activities while the platform completes recovery and technical testing.
| Council | Workaround announced |
|---|---|
| All 64 local councils nationwide | Hold off on issuing parking summonses for two days |
| Kuala Lumpur City Hall (DBKL) | Use EZ KL Smart Park, Setel, or MCash as alternatives |
| Perbadanan Putrajaya | Use Touch ‘n Go cards, debit, or credit cards at controlled parking lots |
| Port Dickson Municipal Council (MPPD) | Parking payment services and enforcement activities suspended |
The same Tuesday briefing framed the response nationally. Ng asked all PBTs to refrain from issuing compounds for the next two days while the system is being restored. The Communications Ministry’s involvement through NACSA, announced Thursday, parallels ongoing state-led work. Restoration work is ongoing and a federal review through NACSA has begun, Communications Minister Fahmi Fadzil said on Thursday, July 2. The Communications Ministry has not given a date for NACSA findings to be released.
-
NEWS4 weeks agoGoogle Search Profiles Build a Follow Graph Inside Discover
-
GAMING3 weeks agoMicrosoft Xbox Layoffs Start in July as Sharma Slams 3% Margin
-
AI1 week agoGoogle DeepMind and A24 Sign $75 Million AI Partnership Deal
-
NEWS2 months agoApple Strikes Preliminary Deal For Intel To Make iPhone And Mac Chips
-
APPS3 weeks agoDGO App Brings Rs 549 Mobile Pass for FIFA World Cup 2026 in Nepal
-
AI1 week agoAnthropic Tells Senators Alibaba Ran the Largest Claude Distillation Attack
-
CRYPTO2 months agoAndreessen Horowitz Bets $2.2B on Crypto’s Quiet Cycle
-
AI4 weeks agoVinRobotics’ VR-H3 Debuts at Vienna, VinFast Is Next
