Data from MMA, MMC and MDA totalling 81,309 have also been leaked, according to lowyat.net
By LYDIA NATHAN / Pic By TMR
Companies and organisations were scrambling yesterday to contain the damage after it was confirmed that over 46 million personal records were stolen and offered for sale in the country’s largest data breach.
Online tech news publication lowyat.net disclosed that over 46 million records of handphone users personal data and medical organisation information have been made available for sale.
Mobile-phone users information including name, number, addresses and other details including International Mobile Equipment Identity and International Mobile Subscriber
Identity numbers are available for interested buyers.
Data from Malaysian Medical Association (MMA), Malaysian Medical Council (MMC) and Malaysian Dental Association (MDA) totalling 81,309 have also been leaked.
MMA yesterday confirmed the data breach involving 20,000 records and it had lodged a police report.
MMA president Dr Ravi Shankar said the association is currently working with authorities to identify the culprit behind the data breach.
Maxis Bhd, Celcom Axiata Bhd and DiGi.Com Bhd, the country’s three largest mobile operators which had been the victims of the data breach, are collaborating with the authorities over the matter.
“Celcom is collaborating closely with the authorities to assist in the investigation,” Celcom Axiata said in a statement, while Maxis said: “We fully support the investigation.”
“We prioritise the privacy of our customer data. The authorities are looking into the matter and we’ll continue to support them in facilitating the investigation,” DiGi said in a statement.
Dr Ravi said MMA only knew about the information leaks after it was highlighted by lowyat.net yesterday.
He said MMA was already taking security measures to improve its computer system security and believed the data breach occurred when the information was hosted offsite.
“I’m not sure how it was before, but I think the leaks occurred when the data was already hosted offsite,” he told The Malaysian Reserve yesterday.
“We will also be upgrading our operational security measures and introducing a new standard operating procedures (SOP) for our staff to minimise the risk of a repeat of this episode.”
“An IT officer will be responsible in preparing the new SOP, which will then be looked at by the computer technical committee,” he said adding that most of the data is stored on cloud servers.
Cloud servers are offsite digital storage farms which allow companies to store and access their data from every where. Such services reduces IT (information technology) cost for companies compared to managing their own systems. But such storage can be vulnerable to unauthorised access.
Dr Ravi said the data stolen from MMA database contains names, phone and identification card numbers.
It is believed that the leaked data was updated between May and July 2014, and was discovered when certain individuals tried to sell the information on online forums including on lowyat.net. The data breach involved 12 telcos and mobile-virtual networks.
CyberSecurity Malaysia CEO Datuk Dr Amirudin Abdul Wahab (pic) said the data breach is currently being investigated by the police and cautioned companies to secure their data against malicious breaches.
“Personal data is a treasure to cybercriminals. In today’s constant connectivity, rising data volumes and multiple access points will expose weaknesses within the IT infrastructures and enable cybercriminals to perform data breaches,” he said.