The MCMC has confirmed, based on the press statement released above that an investigation into the data breach based on our report yesterday is underway.[UPDATE 1 – 19 OCT, 9:00 PM]: MCMC has requested the removal of this article. We are still awaiting an official statement from them. [ORIGINAL STORY – 19 OCT, 6:30 PM]: This is not looking good. Late yesterday, we received a tip-off that someone was selling huge databases of personal details belonging to Malaysians on Lowyat Forums. While we did brush it off as just another scammer looking to make a quick buck at first, we decided to dig a little further and discovered that this could be one of the biggest data breaches ever in Malaysian history. What is up for sale – for an undisclosed amount in bitcoin is millions of personal data of Malaysians belonging to Jobstreet.com, the Malaysian Medical Council, the Malaysian Medical Association, Academy of Medicine Malaysia, the Malaysian Housing Loan Applications, the Malaysian Dental Association and the National Specialist Register of Malaysia. That’s not all, the mother load however is customer data from a huge list of Malaysian Telcos, that include Altel, Celcom, DiGi, Enabling Asia, Friendimobile, Maxis, MerchantTradeAsia, PLDT, RedTone, TuneTalk, Umobile and XOX. The breached Jobstreet database contains almost 17 million rows of customer information, which includes the candidate’s name, login name, hashed passwords, email id, nationality, address and handphone number. It has to be noted however that the data seems to have been obtained somewhere between 2012 and 2013, and also includes non-residents of Malaysia. The leaked data from the Malaysian Medical Association contains over 20,000 records, while the data from the Malaysian Medical Council which oversees the registration of all Medical Practitioners in Malaysia contains close to 62,000 records. The data available includes personal details, IC numbers, home and operating addresses as well as mobile numbers. Based on the dates in the data, we can safely say that the data breach took place sometime between 2014-2015. The breached Housing Loan Application data contains over 720,000 records and includes a wealth of personal information of Housing Loan applicants. Name, IC numbers, contact numbers, emails, blacklist status, ethnicity, address, job, employer details, salary as well as details of spouses. We are unable to determine the exact time the data was breached as there are no dates tied to the data. And yes, we did save the biggest of the lot for last. Also up for sale is over 50 million records from various telcos. The data includes customer names, billing addresses, mobile numbers, sim card numbers, IMSI numbers, handset models as well as IC numbers of customers. Based on the data, we estimate the breach could have happened anywhere from 2012-2015. Not all the data seems up to date as we believe the source of the data has been merged from multiple sources.
We will be reaching out to the telcos as well as the other organisations above to get their feedback on this. While we have taken all efforts to ensure that illegal sales like this is removed from our Forums, we are also aware that the same data is being peddled across a number of other online channels. Please be reminded that the sale of stolen data is strictly prohibited and punishable by law. The Malaysian Communications And Multimedia Commission (MCMC) have been alerted to this issue and will be taking strict action against those found guilty of selling or buying such data.