46.2 Million Malaysian Mobile Phone Numbers Leaked From 2014 Data Breach

Following up on our report on 19th October, we can now confirm that roughly 46.2 million mobile phone numbers from Malaysian telcos and mobile virtual network operators (MVNO) have been leaked online.

The leak includes postpaid and prepaid numbers, customer details, addresses as well as sim card information – including unique IMEI and IMSI numbers.

Time stamps on the files we downloaded indicate the leaked data was last updated between May and July 2014 between the various telcos. The exact numbers, broken down by telco/MVNO provider, and further broken down by prepaid or postpaid segments are as below.

Telco/MVNO
Total Records
Last Updated
Celcom Prepaid
 10,548,183
03-06-2014
Celcom Postpaid
 4,194,315
03-06-2014
Digi Prepaid
 11,411,815
30-05-2014
Digi Postpaid
 2,036,730
30-05-2014
Umobile postpaid + prepaid
 3,866,672
30-05-2014
Maxis Postpaid
 2,840,741
29-07-2014
Maxis Hotlink
 9,562,019
29-07-2014
Friendi Mobile
 43,523
29-06-2014
MerchantradeAsia
 446,203
07-07-2014
Tunetalk
 597,276
unknown
Redtone
 246,613
30-05-2014
XOX
 79,139
30-05-2014
Altel
 24,279
unknown
PLDT
 68,900
17-07-2014
EnablingAsia
 212,139
30-04-2014
Total
  46,178,547

We are also now fairly certain that the individual who tried to sell the data two weeks back acquired the data in a similar fashion that we did, and tried to make a quick profit by attempting to sell it on our Forums.

We have shared all details regarding the data that we uncovered, as well as how we managed to obtain all the data with the MCMC last week.

Celcom Prepaid List – 10.5 million records
DiGi Prepaid List – 11.4 million records

The MCMC is following up with the relevant agencies to determine the source of the breach, but we now believe that the data was already being traded online much earlier then we first estimated. Based on the condition of the files that we obtained, we are quite certain that it has already changed hands more than once.

Medical Practitioners Database

Aside from the telco database, we can now also confirm that a total of 3 databases belonging to the Malaysian Medical Council (MMC), the Malaysian Medical Association (MMA), as well as the Malaysian Dental Association (MDA) have also been leaked.

Database
Total Records
Last Updated
Malaysian Medical Association (MMA)
15,965
05-02-2015
Malaysian Medical Council (MMC)
61,062
06-03-2015
Malaysian Dental Association (MDA)
4,282
25-01-2015
Total
81,309

As mentioned in our previous post, these medical databases include personal information, MyKad numbers, mobile/work/home phone numbers, as well as work and residential addresses.

Remedial Action

We first highlighted about this data breach on 19th October, and we are extremely concerned that no remedial action has been taken by the service providers involved to protect those that have been affected by the breach.

In this day where everything is stored electronically, data security breaches are not something to be taken lightly. Any entity, public or private, that stores proprietary or sensitive data electronically could end up having that data stolen or lost – with catastrophic consequences.

While it is the task of the authorities to narrow down the source of the breach, and ensure that a similar incident doesn’t happen again, the key to containing any more serious damage is protecting the individuals affected by the breach.

We are urging the telco and MVNO companies mentioned above to alert and start immediately replacing the SIM cards of all affected customers, especially those who have not updated their SIM cards since 2014. While the leaked data alone isn’t sufficient to clone the SIM cards, the information available can be exploited to initiate multiple social engineering attacks against affected users.

Equifax notice and consumer information after their data breach, September 2017


Public awareness of the data breach, as well as vigilance
are critical to keeping consumers safe after a data breach. The United States have enacted the Security Breach Notification Laws across 48 states that requires private or governmental entities to notify individuals of security breaches of information involving personally identifiable information – with California enacting it as early as 2002.

Loading ...