Personal data of millions of Malaysians up for sale, source of breach still unknown

Biggest data breaches ever in Malaysian history.

This is not looking good. Lowyat Forums has received a tip off that someone was selling huge databases of personal details belonging to Malaysians.

While they did brush it off as just another scammer looking to make a quick buck at first, they decided to dig a little further and discovered that this could be one of the biggest data breaches ever in Malaysian history.

What is up for sale – for an undisclosed amount in bitcoin is millions of personal data  of Malaysians belonging to, the Malaysian Medical Council, the Malaysian Medical Association, Academy of Medicine Malaysia, the Malaysian Housing Loan Applications, the Malaysian Dental Association and the National Specialist Register of Malaysia.

Thats not all, the mother load however is customer data from a huge list of Malaysian Telcos, that include Altel, Celcom, DiGi, Enabling Asia, Friendimobile, Maxis, MerchantTradeAsia, PLDT, RedTone, TuneTalk, Umobile and XOX.

The breached Jobstreet database contains almost 17 million rows of customer information, which includes the candidate’s name, login name, hashed passwords, email id, nationality, address and handphone number.  It has to be noted however that the data seems to have been obtained somewhere between 2012 and 2013, and also includes non residents of Malaysia.

MORE:  The Malaysian Data Breach – Vigilance and Public Awareness Key to Keeping Safe

The leaked data from the Malaysian Medical Association contains over 20,000 records, while the data from the Malaysian Medical Council which overseas the registration of all Medical Practitioners in Malaysia contains close to 62,000 records. The data available includes personal details, IC numbers, home and operating addressed as well as mobile numbers.

Based on the dates in the data, it is safe to say that the data breach took place sometime in 2014-2015.

And yes, they did save the biggest of the lot for last. Also up for sale is over 50 million records from various telcos. The data includes customer names, billing addresses, mobile numbers, sim card numbers, imsi numbers, handset models as well as IC numbers of customers.

Based on the data, we estimate the breach could have happened anywhere from 2012-2015. Not all the data seems up to date as we believe the source of the data has been merged from multiple sources.

Lowyat forum will be reaching out to the telcos as well as the other organisations above to get their feedback on this.

While they have taken all efforts to ensure that illegal sales like this is removed from the Forums, we are also aware that the same data is being peddled across a number of other online channels.

Please be reminded that the sale of stolen data is strictly prohibited and punishable by law. The Malaysian Communications And Multimedia Commission (MCMC) have been alerted to this issue and will be taking strict action against those found guilty of selling or buying such data.


Article shared from: