Quann Malaysia (formerly known as e-Cop Malaysia), a regional cyber security services provider, warns that buyers can anonymously purchase 46.2 million Malaysian mobile users data for merely RM32,000 (estimated, after currency conversion).
The warning follows the recent revelation that 46.2 million Malaysian mobile users data was on sale for merely 1 Bitcoin (RM32,000). Last week, samples of list containing Malaysian mobile users data from telecommunication companies from 2014 went on sale. The leak includes postpaid and prepaid numbers, customer details, addresses as well as sim card information – including unique IMEI and IMSI numbers.
Such information may be used by hackers to carry out social engineering attacks to trick users into divulging financial information and passwords, or phone cloning where the identity of the user is copied to another phone, Quann Malaysia claimed.
Ivan Wen, General Manager of Quann Malaysia says, “It is almost impossible to stop any sale of the leaked data, unless the affected companies pay a ransom to the hacker or data thief. However, paying a ransom does not guarantee that the data will not be leaked. As such, we do not encourage companies to do so. This extremely attractive pricing for so much data will lead to a rise in the number of buyers who are confident they cannot be tracked.”
It is not clear at this stage if a ransom has been demanded from the telecommunications providers. However, it is believed that the entire list is now on sale for merely 1 Bitcoin or RM32,000. The sale in Bitcoin means that any company or person can anonymously purchase the whole list (of Malaysian users’ data) from this anonymous hacker.
Currently, while actual Bitcoin transactions are transparent online, the identities of both the seller and buyer remain anonymous and cannot be tracked; Wen says that few countries have yet to put in place proper KYC (Know-Your Customer) regulations with regards to Bitcoin purchases.
He said, “It is high time that we take a different approach to dealing with the spiraling number of worldwide ransomware demands.
We hope that regulators and policy makers will take action to put in more defined processes and regulations, for example in the upcoming Cyber Security law, to track the purchase and dealings in Bitcoin among Malaysians, so that fraudulent (data) purchases can be tracked.
Individuals or companies found purchasing these leaked data, should be penalised. Only when the buying stops, then only will the hacking stop as there are no more buyers to fund these hackers.”
He adds that as one of the leading financial institutions in the world, Bank Negara can lead by example and stop the fraudulent purchase of Malaysian data. “The Malaysian Communications and Multimedia Commission (MCMC) is most well equipped to aid Bank Negara in drafting air tight regulations to stop fraudulent buying.”
Meanwhile, Wen advises Malaysians who have not changed their SIM cards since 2014, to replace their SIM cards as soon as possible. He says, “Perhaps telecommunication companies should ensure these customers are able to change their SIM cards free of charge to encourage quicker resolution to this massive data breach incident.”
While SIM cards cannot be cloned with the leaked data, the data that has been breached is sufficient to cause significant damages to unsuspecting users, the cyber security company said.
Wen ends, “Quann works closely with our partners such as FireEye, MasterSAM, Symantec, RSA and a number of other security vendors to ensure that our Malaysian cyber security customers continually stay ahead of cyber threats that are constantly evolving and becoming more aggressive.
Unless the government and Bank Negara take action against the buyers, ransomware attacks will only get more intense in the future.”
Quann is a business unit of Singapore’s leading security organization, Certis CISCO.