Drivers across Selangor, Kuala Lumpur and other participating local-authority areas have recently run into problems with the Smart Selangor Parking and Flexi Parking apps. The outage is more than an inconvenience for people trying to pay for parking: Selangor has confirmed that the Flexi Parking system was hit by a cyberattack, affecting a platform used by 64 local authorities nationwide.
While recovery and system-migration work continues, Selangor Menteri Besar Datuk Seri Amirudin Shari said users will not be charged parking fees or issued compounds until the affected services are fully restored. Several councils have also published disruption notices advising users to follow official channels for updates.
A Parking App Outage That Reaches Far Beyond Parking
Parking apps have become part of everyday city life. They hold account details, vehicle registration numbers, payment histories and, in many cases, information connected to compounds or parking activity.
When a service like this goes offline, the impact spreads quickly. Drivers cannot make payments, councils lose a digital collection channel and frontline enforcement needs to be paused to avoid penalising people for a problem outside their control.
That is why this incident feels larger than a normal technical outage. It highlights how dependent public services have become on connected platforms, and how a security issue at one service provider can affect multiple councils and thousands, or potentially millions, of users at once.
Attackers Claimed Access to Millions of Records
Reports linked the attack to a group calling itself "MelayuSpiritual", which allegedly defaced affected systems and claimed that a database containing around seven million user records was accessible. However, that number remains an attacker claim and has not been independently verified by the operator, regulators or authorities.
This distinction is important. A defaced website or server does not automatically confirm that personal data was extracted, sold or misused. Still, when attackers publicly claim access to a large database, the organisation involved needs to investigate quickly, preserve forensic evidence and communicate clearly with users about whether their information may have been affected.
The Reported Weaknesses Are Not New
Cybersecurity researchers at Gotchaa Lab said the alleged compromise appeared to involve two well-known web security failures: SQL injection and unauthenticated file upload. The analysis is not an official forensic conclusion, but the weaknesses described are among the most preventable and damaging flaws in web applications.
SQL injection happens when an application treats user input as executable database commands instead of plain text. In simple terms, a badly protected search form, login field or URL parameter can be abused to manipulate or access the database behind it.
Unauthenticated file upload is equally serious. If a system allows outsiders to upload files without proper access controls, validation and storage restrictions, an attacker may be able to place malicious code on the server and gain much deeper access.
Neither issue is new, exotic or unavoidable. Modern frameworks and secure development practices already provide ways to prevent them, including parameterised database queries, server-side validation, strict upload controls and separation between uploaded files and executable application code.
Recent Incidents Make the Pattern Harder to Ignore
This comes after a string of recent cyber incidents involving Malaysian public-facing websites. The Ministry of Health's official portal was taken offline after a confirmed hacking incident, while NACSA said several government sites were affected by a critical vulnerability involving a Joomla content-editing extension.
Separately, the JAKIM Sabah website was also reportedly targeted in a recent incident, where attackers claimed to have accessed administrative email information.
There is no evidence that all of these incidents were carried out by the same people or used the same attack method. However, seeing multiple high-profile services affected within a short period should be a wake-up call for organisations that run public portals, payment apps and citizen-facing systems.
Security Cannot Be Treated as a One-Time Project
The biggest lesson is not simply "patch your website." Cybersecurity needs to be treated as an ongoing operational responsibility.
Organisations handling public data should regularly review their applications, infrastructure and third-party components. That includes checking for outdated plugins, conducting vulnerability scans, testing access controls, reviewing upload functions, monitoring suspicious activity and ensuring there is a clear incident-response plan when something goes wrong.
For services involving payments, parking records or personal details, the standard needs to be even higher. Convenience is important, but users also expect the systems they rely on every day to be secure, resilient and transparent when incidents happen.
What Users Should Do for Now
For affected Smart Selangor and Flexi Parking users, the practical advice is simple: rely only on official announcements from the relevant council, Smart Selangor Parking or Flexi Parking channels. Be cautious of links claiming to offer "account recovery", "parking refunds" or "data checks", especially if they ask for login details, card information or one-time verification codes.
Even after services return, users should stay alert for suspicious messages that reference their vehicle number, parking history or account details. Cybercriminals often take advantage of public outages by sending convincing phishing messages while people are actively looking for updates.
Final Thoughts
The Smart Selangor and Flexi Parking incident is a reminder that digital public services are now essential infrastructure. When they fail, everyday routines are disrupted almost immediately.
More importantly, the reported weaknesses involved are the kind that should already be addressed through secure development, patch management and regular testing. Malaysia's recent run of public-facing cyber incidents should not be viewed as isolated bad luck. It should encourage every organisation, especially those managing public data and digital payments, to take cybersecurity more seriously before the next outage becomes a much bigger breach.


Comments