Data leak can lead to phone cloning, location tracking, says cybersecurity expert 

by FAYYADH JAAFAR/graphic by TMR

DATA leaks that have been reported as of late are worrying signs that indicate how vulnerable we are to cyberattacks.

Ensign InfoSecurity (M) Sdn Bhd’s cybersecurity analyst Izzmier Zulkepli said the data breaches would pose serious threats to millions of Malaysians since they include names, identification numbers, residential addresses, race, age group, gender and even photographs.

“This information can be used to clone your phone, track your whereabouts, trace your calls, read your messages, as well as get private and vulnerable photos and videos of you,” he told The Malaysian Reserve recently.

According to Izzmier, by just giving the bank one’s name and address, a criminal may make small modifications to their financial accounts without the victim’s knowledge and start an account in their name. The criminal may then use the account to get loans and credit cards, among others.

“And by the time we realise that our personal data has been sold, it is already too late to do anything about it,” he added.

The analyst believed that the responsible government entities should do more to enhance the country’s cybersecurity to protect the citizens.

He also feels that these issues stem from outdated anti-hacker security, a lack of fundamental authentication mechanisms, a lack of awareness training, and an alarming absence of encryption of important data.

“From my point of view as a cybersecurity analyst, to make sure personal data is safe and secured online, all personal data that is digitally processed must be encrypted; passwords or passphrases used to access personal data should be of sufficient strength to prevent password forgery; and use technologies that prevent personal data from being copied to a local machine.

“A government agency might also think about making it illegal to use cameras in places where personal information is shown or handled,” he added.

In response to the recent data breaches, Izzmier said hackers like attacking government entities’ web services since they are generally “soft” targets and they may obtain important information via phishing assaults. 

They often profile email addresses acquired from data breaches and link them to existing social media profiles to target accounts and carry out spear phishing attacks.

For example, he said government workers who have opened their Facebook or LinkedIn accounts using their work email are increasing their risk of phishing attacks through one of those networks.

“These phishing attacks may also involve malware sent as attachments in email, which can lead to data exfiltration and ransomware attacks. The biggest problem with phishing attacks is that the technique works surprisingly well,” he added.

Izzmier went on to say that the dark web is a place where you can purchase and sell anything, including personal data, however, not everyone can access it due to the stolen information.

“Private information is traded online because data is the digital equivalent of oil or gold, but more so, it can be used to affect future behaviours. So, they can use that data to sell it to you again, or to others for a profit.

“Data collection and sales are a huge part of the modern digital economy. From sole proprietor online shops to tech giants like Google and Facebook, user data is used for everything to do with sales, marketing, product development, user experience and more,” he explained.

He urged the government to evaluate and rewrite obsolete legislation to combat cybercrime by developing a comprehensive legislative framework and recruiting information technology professionals for all agencies.

“Currently, Malaysia does not have a specific law addressing cybersecurity-related offences. Government organisations of all levels are required to adhere to a specific set of data privacy laws based on their location and the data they collect,” he said.

Izzmier encouraged the public to educate themselves more about cybersecurity and to not give out their personal information easily. 

“Please be aware that a government organisation would never ask for money over the phone. They should write you an email or invite you to the office to resolve such matters,” he said.

Meanwhile, Defence Minister Datuk Seri Hishammuddin Hussein said the recent alleged data leak of personal information belonging to 22.5 million Malaysians will not jeopardise national security.

He said the Home Ministry was well-equipped to handle any alleged data leaks, but acknowledged the concern among many quarters over the matter.

“The Home Ministry has the Special Branch, and I’ve worked with them in the past (as home minister). I believe that they are more than equipped (to handle such a threat).

“Also, this sort of threat does not jeopardise our national security,” he said at a press conference today.

Home Minister Datuk Seri Hamzah Zainudin had earlier denied the leak, stating the dataset did not belong to the National Registration Department, while Bukit Aman’s commercial crime investigation department said it is investigating the allegations.