Petaling Jaya MP Lee Chean Chung has intensified calls for the Selangor government to conduct a thorough investigation into a recent cyberattack targeting the Selangor Intelligent Parking service, demanding urgent accountability and transparency regarding the security breach. The legislator has outlined specific areas requiring public disclosure, including the root cause of the attack, the extent of personal data compromised, any financial losses incurred, and the remedial steps authorities plan to implement in response.
The breach has raised serious questions about how the state manages sensitive citizen information entrusted to government-linked digital platforms. Lee argues that Selangor residents deserve comprehensive answers about what happened, who was affected, and how the state will prevent similar incidents. Without satisfactory explanations forthcoming from official channels, he has suggested that state representatives escalate the matter by requesting the Selangor Select Committee on Competency, Accountability and Transparency to conduct a formal public hearing, ensuring scrutiny beyond executive announcements.
At the heart of Lee's concerns lies a broader strategic question about how Malaysia's states should approach digital infrastructure development. The incident has reignited his previous warnings about the Selangor Intelligent Parking model, which operates as a public-private partnership where a private concessionaire receives half of all parking revenue collected through the system. This revenue-sharing arrangement creates financial incentives that may not align perfectly with public interest, particularly when it comes to investing adequate resources in cybersecurity protections.
Lee first raised alarm bells about the parking system's sustainability in July 2025, when he called for an immediate halt to the SIP service pending a comprehensive policy review. His argument centred on whether the state's framework and implementation approach adequately served public needs or instead prioritised commercial returns to the private operator. The cyberattack now provides practical evidence of the vulnerabilities inherent in outsourcing critical digital systems to external companies, particularly when those companies bear operational responsibility but may lack the institutional commitment to security that a public agency might demonstrate.
The incident illuminates a fundamental tension in Malaysia's governance approach. While the federal government has invested in building GovTech as a dedicated institution to strengthen in-house digital capabilities and reduce reliance on external vendors, Selangor has moved in the opposite direction through its partnership-based model. GovTech's core mission involves breaking down data silos across government agencies and creating a unified, resilient public-sector technology ecosystem. By contrast, the Selangor Intelligent Parking model concentrates operational control with a private entity, potentially duplicating systems and limiting information sharing across government platforms.
This strategic divergence matters significantly for citizen protection and public sector effectiveness. When residents and motorists are required to provide personal information and conduct financial transactions through government digital systems, there exists an implicit social contract: the government will treat that trust as sacred and implement the highest possible security standards. Lee contends that outsourcing critical infrastructure to private operators, however professional they may be, introduces additional layers of risk and diffuses accountability when problems occur. Citizens may find themselves caught between a state government claiming it relies on the private operator's security measures and a private company arguing that ultimate responsibility lies with the state.
The cybersecurity landscape in Southeast Asia has grown increasingly hostile in recent years, with parking systems and mobility platforms representing particularly attractive targets for threat actors seeking to harvest personal data, financial information, and location histories. A successful breach of such systems can expose not only payment card details but also precise records of individuals' movements and habits. For a state like Selangor, which encompasses greater Kuala Lumpur and hosts millions of daily commuters, the potential scale of exposure is substantial.
Lee's insistence on transparency carries particular weight given Selangor's strategic importance within Malaysia's economy and governance landscape. The state generates significant revenue through parking systems and other urban services, making it a demonstration case for other states considering similar public-private models. If Selangor cannot satisfactorily manage cybersecurity risks while maintaining private sector partnerships, other states considering comparable arrangements will face legitimate questions about viability. Conversely, if the state responds with comprehensive disclosure, serious remediation, and structural improvements, it can establish best practices for managing digital infrastructure in partnership arrangements.
The timing of this episode coincides with broader global and regional trends in digital governance. Malaysia has positioned itself as a technology hub and digital-first nation, and both state and federal governments have made significant commitments to modernising public services through technology. However, modernisation that sacrifices security or transparency undermines long-term public confidence in digital governance. Citizens in Selangor and nationwide will be watching closely to see whether authorities prioritise openness and accountability or attempt to minimize the incident.
Lee's proposal for a public hearing before the Select Committee on Competency, Accountability and Transparency represents a constructive institutional response that could transform a crisis into an opportunity for democratic oversight. Such proceedings would allow independent legislators to question officials and private operators directly, examine evidence, and potentially recommend systemic reforms. The precedent established through Selangor's handling of this breach will influence how other states approach digital infrastructure governance and public-private partnerships for years to come.
Beyond the immediate security incident, Lee's critique highlights the importance of deliberately building public-sector digital capacity rather than defaulting to privatisation whenever technical challenges arise. Investing in government technology capabilities requires sustained commitment and funding, but it creates institutional memory, reduces vendor lock-in, and ensures that decision-making power remains accountable to elected officials. The federal government's GovTech initiative reflects this understanding, positioning Singapore and South Korea as comparative models where robust public-sector technology development has enhanced rather than hindered innovation.
Moving forward, Selangor has an opportunity to use this cyberattack as a catalyst for policy recalibration. The state could explore how to strengthen in-house digital capabilities, establish more robust security standards for any private partnerships, and create clearer lines of accountability when breaches occur. For Malaysian readers and administrators nationwide, Selangor's experience underscores that questions about who controls digital infrastructure, who profits from it, and who bears responsibility when things go wrong are not merely technical issues but fundamental questions of governance and public trust.
