Connect with us

NEWS

Malaysia Flexi Parking Cyberattack Hits 64 Councils; Fahmi Calls NACSA

Malaysia’s Flexi Parking cyberattack has disabled digital parking payments across 64 local councils, prompting Fahmi Fadzil to consult NACSA.

Published

on

A cyberattack on Malaysia’s Flexi Parking app has disabled digital parking payments across 64 local councils, leaving motorists unable to pay for street parking for two days running. Selangor state authorities confirmed the breach at a Tuesday briefing and ordered all 64 councils to hold off on issuing parking summonses while recovery work continues. On Thursday, Communications Minister Fahmi Fadzil said his ministry will consult the National Cyber Security Agency, known as NACSA, over the incident. The outage underscores how a single platform now sits in front of payments for dozens of municipal councils across multiple states.

The 64-council figure ties the Flexi Parking breach to municipalities well beyond Selangor. The app is operated by Leading Innovative Technologies And Systems Sdn Bhd, a Malaysian firm that has been folding local parking services into a single platform over recent months. Ng Suee Lim, the Selangor state chairman who oversees local councils, said the breach extended beyond Selangor to every authority using Flexi Parking.

Cyberattack on Flexi Parking Knocks Out Payments at 64 Councils

A cyberattack has crippled the Flexi Parking app across 64 local councils nationwide, leaving motorists unable to pay for their parking for the past two days. The disruption first surfaced on 30 June and extended into 1 July, with the Flexi Parking platform still offline as of Thursday’s federal response. Selangor state local government committee chairman Datuk Ng Suee Lim confirmed the breach at a press conference on Wednesday, framing it as a system-wide incident rather than a state-level problem. The 64 councils affected use Flexi Parking for on-street payments, off-street payments, and parking compound settlements. The app’s Facebook page acknowledged the disruption in a Tuesday update, telling users that system recovery works are still ongoing and that the app service remains unavailable at this time.

Ng told reporters after visiting the newly-opened Stadium Shah Alam LRT station that the system had been hacked and restoration was in progress. He said his team had asked every affected local council not to issue summonses for the two days the platform was offline. The Star reported that Ng said the breach ‘paralysed parking payment platforms across 64 local councils nationwide’ and forced an immediate shutdown of the Selangor Intelligent Parking, or SIP, system. The Star also said Ng described the disruption as one that ‘disabled digital parking payments for hundreds of thousands of motorists’ within Selangor and across other states using the same platform.

A Network Built on Centralization

Ng said the vulnerability did not originate with the Selangor Intelligent Parking concessionaire, Rantaian Mesra Sdn Bhd. The breach hit the centralized Flexi Parking platform that, by Ng’s account, recently took over the network to manage parking. The transition brought major Selangor cities, including Shah Alam, Subang Jaya, and Selayang, onto a single vendor’s stack alongside authorities in other states. Flexi Parking is operated by Leading Innovative Technologies And Systems Sdn Bhd, registered as the seller on the platform’s Flexi Parking’s mobile app product page. The vendor’s product entry described the platform as supporting more than 46 municipal councils across 9 states, a footprint that has since grown.

According to The Star, Ng stated the breach ‘targeted the centralised Flexi Parking platform which recently took over the network to manage parking.’ He stressed that the SIP private concessionaire was not the source of the vulnerability. Ng’s position was that the move to the nationwide Flexi Parking system itself triggered the disruption across the 64 councils.

The Star’s account describes the security breach as one that ‘struck over the last 48 hours.’ The disabling of digital parking payments for hundreds of thousands of motorists occurred both within Selangor and across several other states using the same platform. Ng said operations were suspended to protect user data integrity and to enable a forensic recovery process. The shutdown was precautionary rather than purely technical, in the chairman’s framing. Whether data was accessed during the breach has not been disclosed by the platform’s operator or by Selangor.

Ng told the press the system’s data and transaction logs were hacked, and that the incident extends well beyond Selangor. Flexi Parking’s own statements, posted to its Facebook page on Tuesday, used the phrase ‘unexpected service disruption.’ The official statement did not address whether any user data was accessed.

Fahmi Calls in NACSA

Communications Minister Fahmi Fadzil said on Thursday, July 2, that his ministry will consult NACSA over the cyberattack. The NST reported that Fahmi’s office has formally opened the federal review path through the National Cyber Security Agency.

NACSA is the lead government agency for cybersecurity under Malaysia’s National Security Council. Its statutory powers are spelled out in the Cyber Security Act 2024, which was gazetted on 26 June 2024. Per the NACSA page, the Prime Minister appoints 26 August 2024 as the date on which the Act comes into operation. The Act covers the management of cyber security threats and incidents related to National Critical Information Infrastructure, or NCII. NACSA outlines NACSA’s mandate under the Cyber Security Act 2024 on its own site, with broader roles coordinated through the agency including licensing for cybersecurity service providers.

The federal response is a Communications Ministry action; the operational outage sits with the platform and the local councils themselves. Selangor’s confirmation came from the state tourism and local government committee chairman, not from a federal agency. NACSA’s involvement does not by itself restart the platform, and any recovery timeline rests with the platform vendor.

What We Know About the Breach

Public statements on the Flexi Parking breach are still coming in as the platform remains offline. The clearest statements so far come from Selangor’s own committee chairman, who set a broad recovery window. He told reporters the system could be back online either today, tomorrow, or the following day. His statement put it directly.

There was a problem affecting transaction data and related systems. It was hacked.

Datuk Ng Suee Lim, Selangor state local government committee chairman, addressed reporters at the 1 July briefing. He confirmed that transaction data on the Flexi Parking platform was hacked. He also asked every affected local council not to issue parking summonses for the two days the platform was offline.

Separately, a group calling itself MelayuSpiritual has claimed responsibility for the breach on a public-facing page. The post described the attackers as obtaining root access to a Flexi Parking server. The same page claimed about 7 million user records sat in the database the attackers allegedly accessed. The exploit used, the attackers say, was SQL injection combined with an unauthenticated file upload vulnerability.

The 7 million figure remains an attacker claim rather than a confirmed count. The Gotchaa Lab cybersecurity blog noted that the company has not confirmed whether any data was actually copied. Public reporting on the technical details so far traces back to the attackers’ own message rather than a third-party forensic brief.

The breach mechanism described by the attackers, SQL injection combined with an unauthenticated file upload, represents a class of security flaw that security researchers have documented for decades. Specific server details in the attackers’ post, including claims about a legacy kernel build, have not been verified. Flexi Parking’s most recent official statement, on its Facebook page, focused on service restoration rather than on the attackers’ claims. The platform vendor has not provided a confirmed tally of exposed records, if any. Until a forensic review is published or NACSA issues findings, the public read of how the attack worked stays limited to attacker statements.

  • 64 local councils nationwide using Flexi Parking for digital parking payments
  • The breach struck over a 48-hour window, per The Star
  • Hundreds of thousands of motorists affected across Selangor and other states
  • About 7 million user records allegedly accessed by attackers (claim not verified by the platform)
  • Flexi Parking’s pre-expansion footprint: more than 46 municipal councils across 9 states

Summonses Frozen, Alternative Apps Switched On

With the platform offline, several councils have moved to alternative payment arrangements and to a temporary pause on enforcement. Kuala Lumpur City Hall, or DBKL, told motorists to use EZ KL Smart Park, Setel, or MCash while the Flexi Parking service remains unavailable. Perbadanan Putrajaya told drivers at controlled parking locations to use Touch ‘n Go cards, debit cards, or credit cards instead. Port Dickson Municipal Council, or MPPD, suspended both parking payment services and parking enforcement activities while the platform completes recovery and technical testing.

Council Workaround announced
All 64 local councils nationwide Hold off on issuing parking summonses for two days
Kuala Lumpur City Hall (DBKL) Use EZ KL Smart Park, Setel, or MCash as alternatives
Perbadanan Putrajaya Use Touch ‘n Go cards, debit, or credit cards at controlled parking lots
Port Dickson Municipal Council (MPPD) Parking payment services and enforcement activities suspended

The same Tuesday briefing framed the response nationally. Ng asked all PBTs to refrain from issuing compounds for the next two days while the system is being restored. The Communications Ministry’s involvement through NACSA, announced Thursday, parallels ongoing state-led work. Restoration work is ongoing and a federal review through NACSA has begun, Communications Minister Fahmi Fadzil said on Thursday, July 2. The Communications Ministry has not given a date for NACSA findings to be released.

Logan Pierce is a writer and web publisher with over seven years of experience covering consumer technology. He has published work on independent tech blogs and freelance bylines covering Android devices, privacy focused software, and budget gadgets. Logan founded Oton Technology to publish clear, no nonsense tech news and reviews based on real hands on testing. He has personally tested and reviewed dozens of mid range and budget Android phones, written extensively about app privacy, and built and managed multiple WordPress publications over the past decade. Logan holds a bachelor's degree in English and studied digital marketing at a certificate level.

Continue Reading
Click to comment

Leave a Reply

Your email address will not be published. Required fields are marked *

Trending