The personal data of “millions” of Malaysian citizens has reportedly been listed for sale online in what could potentially be the biggest information leak in the country’s history.
According to Malaysia technology website Lowyat, it found an unknown seller who was caught selling millions of personal data of Malaysians for an undisclosed amount in bitcoin on its forum. The private data was illegally obtained. Upon investigation, the website published screenshots of the exposed data from various organisation last Thursday.
The biggest data was reportedly collated from the slew of telecommunications companies – with 50 million customer records featuring names, MyKAD numbers (IC), handset descriptions, addresses, sim numbers and IMEI numbers. They allegedly include customer data from Altel, Celcom, DiGi, Enabling Asia, Friendimobile, Maxis, MerchantTradeAsia, PLDT, RedTone, Tune Talk, U Mobile and XOX. It said the breach could have happened between 2012 to 2015.
There are over 30 million mobile subscribers in the country.
The other customer data are from Jobstreet.com, the Malaysian Medical Council, the Malaysian Medical Association, Academy of Medicine Malaysia, the Malaysian Housing Loan Applications, the Malaysian Dental Association and the National Specialist Register of Malaysia.
Lowyat said: “The breached Jobstreet database contains almost 17 million rows of customer information, which includes the candidate’s name, login name, hashed passwords, email id, nationality, address and handphone number. It has to be noted however that the data seems to have been obtained somewhere between 2012 and 2013, and also includes non residents of Malaysia.”
It also added “The leaked data from the Malaysian Medical Association contains over 20,000 records, while the data from the Malaysian Medical Council which overseas the registration of all Medical Practitioners in Malaysia contains close to 62,000 records. The data available includes personal details, IC numbers, home and operating addressed as well as mobile numbers.”
On the same day the article was published (19 October 2017), the Malaysian Communications and Multimedia Commission (MCMC) has requested Lowyat to remove the article and the forum postings. However, MCMC allowed Lowyat to re-publish the original article the next day. No changes were made to the article.
The Lawyers for Liberty has issued a media statement asking MCMC to explain the reasons for this action (asking Lowyat to remove the article) – and if the report has any basis – as the implications are extremely serious and would affect the security and personal data of millions of Malaysians.
“Instead of shooting the messenger, MCMC should be more alarmed at the contents of the report which should be MCMC’s primary concern i.e. the personal data security of the communications and multimedia industries and the prevention of online fraud.”
Sources close to MalaysianWireless said that all parties involved, including the Telcos are working closely with MCMC on the investigation. It is believed the Special Branch of the Royal Malaysian Police are investigating the case.
MCMC has yet to issue a statement on the data breach while the Personal Data Protection Commission reportedly said it is also investigating it.
To date, none of the Telcos have admitted the breach.
Screenshot of the Lowyat article: