Culprits behind personal data sale narrowed

by P PREM KUMAR & DASHVEENJIT KAUR / pic by TMR graphics

The government has identified the sources behind the leak of more than 46 million mobile-phone subscribers’ personal records online in what is believed to be the country’s largest data invasion case.

Communications and Multimedia Minister Datuk Seri Salleh Said Keruak said the authorities have also managed to identify the possible sources for the leak, which led to the alleged sale of consumer data that was obtained illegally.

Salleh said the government views such data breach cases seriously and it is committed in taking necessary steps to resolve the matter.

“The Malaysian Communications and Multimedia Commission (MCMC) had a meeting with the telcommunication companies (telcos) in seeking their cooperation to the issue.

“The matter is now being investigated by the MCMC and police. However, we have already identified the sources from where the leakages might had occurred,” he told reporters in the Parliament lobby yesterday.

Salleh assured that the issue would be resolved as soon as possible as it affects the confidence of the people on the authorities and online systems.

On Monday, authorities confirmed the data breach of 46.2 million records which include personal details — including identification card (IC) numbers, addresses and mobile numbers.

The personal records were put on sale for interested buyers. Sale of the data was reported by a tech news site Lowyat.net.

Lowyat.net disclosed that over, 46 million records of handphone users personal data and medical organisation information have been made available for sale.

Data from Malaysian Medical Association, Malaysian Medical Council and Malaysian Dental Association totalling 81,309 have also been leaked.

The breach of 46.2 million records of personal data from the telco and medical players was believed to have occurred recently, although the data has a time-stamp backdated to 2014.

The data breach can have a damaging impact in the wrong hands, as the information can be used from applying for credit cards, to spamming for confidential information.

An industry expert said there is no way of knowing exactly how much of the information from the breached data had been leaked, and that could pose a danger.

“With your full name, address and IC number, one can apply for a loan under your name or have certain items shipped to you. It is definitely a dangerous situation,” the expert told The Malaysian Reserve (TMR) on Tuesday.

Telco providers had fully cooperated with the investigation and have been cleared of any unauthorised intrusion or hacking into their databases.

“It does not appear that each telco was hacked separately. Some organisations did not appear to have suffered any form of attacks,” a source told TMR.

Experts have zoomed into three theories behind the data breach. One is the unauthorised hack of individual companies. The other is, the data was stolen from a consolidated site, which holds all the information. And thirdly, the sale of the information by unscrupulous parties.

Experts have also questioned why all the data was released on the same day.

All the records collected by services providers are protected under the Personal Data Protection Act 2010.