Malaysia’s Cyber Security Act 2024 (Malaysia) represents a major step forward in strengthening national cybersecurity. The Act is primarily focused on protecting National Critical Information Infrastructure (NCII), including sectors such as banking, healthcare, and government systems. It introduces regulatory oversight for cybersecurity service providers, mandates incident reporting, and empowers authorities to respond to cyber threats.
While the Act is not specifically designed to address disputes between businesses and developers, it becomes highly relevant if a compromised system falls within regulated or critical infrastructure. Non-compliance carries significant penalties. For example, failure to comply with directives or licensing requirements can result in fines of up to RM500,000, and imprisonment of up to 10 years. Failure to report cybersecurity incidents may result in fines of up to RM100,000, and imprisonment of up to 5 years. These provisions underscore the seriousness with which Malaysia treats cybersecurity governance.
More directly applicable to the scenario is the Computer Crimes Act 1997, which criminalizes unauthorized access and modification of computer systems. A developer who inserts hidden backdoors, retains undisclosed access, or alters system functionality without authorization may fall squarely within its scope. Unauthorized access alone can result in fines of up to RM50,000, and imprisonment of up to 5 years. If the access is carried out with intent to commit further offences, penalties increase to fines of up to RM150,000, and imprisonment of up to 10 years. Unauthorized modification of system contents, such as locking a client out of their own website, can result in fines of up to RM100,000, and imprisonment of up to 7 years, rising to RM150,000, and 10 years if serious damage is caused.
In addition, the Penal Code (Malaysia) addresses the broader criminal elements of such conduct. If a developer withholds access and demands payment, this may constitute extortion under Section 384, which carries penalties of up to 10 years’ imprisonment, fines, or both. If deception is involved, Section 420 (cheating) may apply, allowing courts to impose imprisonment of up to 10 years along with fines and, in some cases, whipping. Criminal breach of trust provisions may also be invoked where a developer abuses their position for personal gain.
The Communications and Multimedia Act 1998, enforced by the Malaysian Communications and Multimedia Commission (MCMC), may also be relevant. Section 233 addresses the improper use of network facilities or services. Where a developer uses digital infrastructure to disrupt services or coerce payment, penalties can include fines of up to RM50,000, imprisonment of up to one year, or both, along with additional daily fines for continuing offences.
Beyond criminal liability, civil consequences can be equally severe. Affected businesses may pursue claims for breach of contract, particularly where full ownership and access were contractually guaranteed. Fraud or misrepresentation claims may arise if hidden control mechanisms were not disclosed. Importantly, reputational damage is also actionable. If a company suffers loss of customer trust, revenue, or brand value due to such actions, Malaysian courts may award damages reflecting both financial and reputational harm. Unlike criminal fines, civil damages are not capped and can be substantial depending on the scale of loss.
The repercussions of being found guilty extend far beyond fines and imprisonment. Individuals and companies involved may face blacklisting, termination of business relationships, and long-term damage to their professional credibility. In industries where trust is paramount, reputational harm can have lasting consequences that far exceed any statutory penalty.
From a cybersecurity perspective, these incidents highlight the importance of strong governance and due diligence. Businesses should ensure that contracts clearly define ownership, access rights, and system control. Independent audits, secure credential management, and periodic code reviews can help detect and prevent unauthorized mechanisms from being embedded.
Ultimately, Malaysia’s legal framework provides robust protection against such abuses. While the Cyber Security Act 2024 strengthens national resilience, existing laws already impose serious consequences on those who misuse their technical position for personal gain. Developers who attempt to hold clients “hostage” are not operating in a grey area, they are exposing themselves to significant criminal liability, financial penalties, and lasting reputational damage.
Businesses are encouraged to act proactively, safeguard their digital assets, and seek legal recourse where necessary. In an era where digital trust underpins economic activity, accountability is not optional, it is essential.