In recent years, Malaysia has seen a sharp increase in cybercrime, fuelled by wider internet access, growing dependence on digital services, and the anonymity of online platforms. Crimes such as hacking into computer systems, sharing pornographic material, and online blackmail have become more common and part of public concerns in society.

These crimes have shown a trend of early onset in recent years, with cases even happening on school and university campuses. They not only threaten personal privacy and security but also test the effectiveness of existing legal frameworks. Moreover, because such crimes transcend geographical boundaries, enforcement has become increasingly complex and urgent.

The Computer Crimes Act 1997 [CCA 1997] serves as Malaysia’s primary legislative tool for addressing unauthorized access to computer systems. CCA 1997 works alongside with other statutes, such as the Penal Code and the Communications and Multimedia Act 1998 to regulate offences involving pornographic content and cyber blackmail.

Section 3 of CCA 1997 criminalizes the act of “unauthorized access to computer material”. This covered situations such as opening someone’s private email, accessing social media accounts without permission, or retrieving files from another person’s device without lawful authority.

According to Section 3 of CCA 1997 – Unauthorized access to computer material

3.   (1)   A person shall be guilty of an offence if—

(a) he causes a computer to perform any function with intent to secure access to any program or data held in any computer;

(b) the access he intends to secure is unauthorized; and

(c) he knows at the time when he causes the computer to perform the function that is the case.

Meanwhile, Section 4 of CCA 1997 extends the liability to cases where unauthorized access is carried out with the intent to commit further offences, such as cyber blackmail, fraud, or dissemination of pornographic content. Taken together, these provisions address not only the initial breach of digital privacy but also the subsequent criminal exploitation that may follow.

According to Section 4 of CCA 1997 – Unauthorized access with intent to commit or facilitate commission of further offence

4.   (1)   A person shall be guilty of an offence under this section if he commits an offence referred to in section 3 with intent—

(a) to commit an offence involving fraud or dishonesty or which causes injury as defined in the Penal Code [Act 574]; or

(b) to facilitate the commission of such an offence whether by himself or by any other person.

Section 4 of the CCA explicitly refers to offences involving fraud, dishonesty, or injury as defined under the Penal Code. This provision criminalizes unauthorized access to a computer or mobile device with the intent to commit another offence, even where that offence governed under a different statute such as Penal Code (Act 574) and Film Censorship Act 2002 (Act 620).

Example Scenario: An individual hacks to victim’s phone, retrieves intimate videos and threatens to release them unless money is paid.

This shows how Section 4 acts as a legal bridge, connecting cyber intrusion to traditional criminal offences. Put it differently, Section 4 of the CCA links to this by criminalizing the initial access that enabled the offence. Under the Penal Code, provisions on extortion and criminal intimidation (Sections 383–389) directly apply, capturing threats to expose obscene content unless demands are met. In practice, cases of digital blackmail often involves a chain of offences: unauthorized access under the Computer Crimes Act, unlawful possession of obscene content, and extortion under the Penal Code.

Legal gaps on current law and further action on it

Despite Malaysia’s legal framework, enforcing cybercrime laws presents significant challenges. Evidentiary hurdles often arise, particularly in proving criminal intent and establishing the identity of perpetrators, as digital footprints can be manipulated or erased. Effective prosecution depends heavily on digital forensics, which in turn requires both technical expertise and adequate resources.

Jurisdictional complexities also pose difficulties, since cybercrimes frequently transcend borders, raising questions on international cooperation and the extraterritorial scope of Malaysian laws. Another difficult lies in harmonizing modern cyber legislation with traditional criminal statutes to ensure consistency and avoid overlapping provisions. Beyond legal mechanisms, low public awareness of digital rights and responsibilities also hampers enforcement, leaving individuals vulnerable to exploitation.

Refer back to the example mention above, problem arises when the notion of “willful possession” in cyberspace enters a grey area, particularly in cases where images or videos are automatically saved or shared without the user’s explicit intention. The risks escalate when unauthorized access intersects with such materials. For instance, when private images are stolen from a device and used as leverage for blackmail. 

Hence, Malaysia is in the process of drafting a new Cybercrime Bill and amending the Communications and Multimedia Act 1998 (Act 588) to better address modern digital threats and crimes that have emerged alongside technological advancements.

The National Cyber Security Agency (NACSA) is finalizing a new Cybercrime Bill to replace the Computer Crimes Act 1997, which is widely regarded as outdated in addressing today’s digital threats and offences. This new law is expected to

• Expand definitions of cyber offences, including unauthorized access, data theft, and digital extortion.
• Align Malaysia’s accession with international frameworks like the Budapest Convention and the UN Convention Against Cybercrime.
• Strengthen cybercrime laws to address emerging threats such as AI-driven offences (e.g. deepfakes used for blackmail or harassment), ransomware attacks, and persistent cross-border enforcement gaps.

Apart from drafting new laws, Amendments to the Communications and Multimedia Act 1998 which effective since February
2025 provide more protections to public and fill up the gaps incur. These
amendments include: