Bank Rakyat fined RM1 million for cybersecurity failures after major breach
Bank Rakyat has been fined RM1 million by Bank Negara Malaysia (BNM) for failing to protect its IT systems from cyber threats. The penalty follows an investigation into security breaches caused by an external attacker gaining unauthorised access to the bank's infrastructure.
BNM highlighted serious weaknesses in the bank's cybersecurity controls and incident response procedures, leading to the enforcement action. The breaches occurred after an external threat actor infiltrated Bank Rakyat's IT systems. BNM's investigation revealed that the bank had not implemented strong enough cybersecurity measures to safeguard customer data. This violated BNM's Risk Management in Technology policy as well as its rules on handling customer information.
BNM linked the failures to poor cybersecurity standards and slow response times when addressing the incident. The regulator also noted that this was not the first time Bank Rakyat had faced penalties in 2025. In June of that year, the bank was fined RM2.85 million for unrelated breaches.
When deciding the RM1 million penalty, BNM took into account the severity of the breaches, Bank Rakyat's past compliance record, and how the bank handled the situation afterwards. The fine was officially issued on 20 January 2026 and paid in full by the bank six days later.
Since the incident, Bank Rakyat has claimed to have strengthened its cybersecurity defences, ICT controls, and governance policies to prevent future breaches. The RM1 million penalty serves as a reminder of the importance of robust cybersecurity in financial institutions. Bank Rakyat has now updated its security framework, but the fine remains part of its regulatory record. BNM continues to monitor the bank's compliance with technology and data protection rules.
