Post updated October 21st, 2017 at 12:46 am
Update 9pm 20th October: MCMC has issued a statement, and given us approval to restore the original article.
The MCMC have confirmed, based on the press statement released above that an investigation on the data breach based on our report yesterday is underway.
Update 9pm 19th October: MCMC has requested the removal of this article. We are still awaiting an official statement from them.
This is not looking good. Late yesterday, we received a tip off that someone was selling huge databases of personal details belonging to Malaysians on Lowyat Forums.
While we did brush it off as just another scammer looking to make a quick buck at first, we decided to dig a little further and discovered that this could be one of the biggest data breaches ever in Malaysian history.
What is up for sale – for an undisclosed amount in bitcoin is millions of personal data of Malaysians belonging to Jobstreet.com, the Malaysian Medical Council, the Malaysian Medical Association, Academy of Medicine Malaysia, the Malaysian Housing Loan Applications, the Malaysian Dental Association and the National Specialist Register of Malaysia.
Thats not all, the mother load however is customer data from a huge list of Malaysian Telcos, that include Altel, Celcom, DiGi, Enabling Asia, Friendimobile, Maxis, MerchantTradeAsia, PLDT, RedTone, TuneTalk, Umobile and XOX.
The breached Jobstreet database contains almost 17 million rows of customer information, which includes the candidate’s name, login name, hashed passwords, email id, nationality, address and handphone number. It has to be noted however that the data seems to have been obtained somewhere between 2012 and 2013, and also includes non residents of Malaysia.
The leaked data from the Malaysian Medical Association contains over 20,000 records, while the data from the Malaysian Medical Council which overseas the registration of all Medical Practitioners in Malaysia contains close to 62,000 records. The data available includes personal details, IC numbers, home and operating addressed as well as mobile numbers.
And yes, we did save the biggest of the lot for last. Also up for sale is over 50 million records from various telcos. The data includes customer names, billing addresses, mobile numbers, sim card numbers, imsi numbers, handset models as well as IC numbers of customers.
Based on the data, we estimate the breach could have happened anywhere from 2012-2015. Not all the data seems up to date as we believe the source of the data has been merged from multiple sources.
We will be reaching out to the telcos as well as the other organisations above to get their feedback on this.
While we have taken all efforts to ensure that illegal sales like this is removed from our Forums, we are also aware that the same data is being peddled across a number of other online channels.
Please be reminded that the sale of stolen data is strictly prohibited and punishable by law. The Malaysian Communications And Multimedia Commission (MCMC) have been alerted to this issue and will be taking strict action against those found guilty of selling or buying such data.