It has now been over a month since we first reported of the massive Malaysian data breach that involved almost every Malaysian who owned a mobile phone number up to 2014.
Since then we have spent countless hours sharing our findings with the authorities, and haven’t been able to comment much on the issue to avoid being prejudicial to the investigations.
Rest assured we will disclose all our findings when the official investigations are completed.
Why is it taking so long?
Yes, the question almost everyone is asking, and one which I personally get asked at least half a dozen times a day. We asked ourselves the same question at one point in time, but when you look at the bigger picture, you will understand why it’s taking so long.
A data breach of this magnitude is not something anybody anywhere is prepared for. The fact that almost 95% of the entire Malaysian population is affected is a staggering statistic in itself.
If that’s not a challenge enough, throw in a dozen or so telecommunications companies, half a dozen government agencies, and an undisclosed number of independent contractors who had access to the data into the mix, and you end up with a concoction that will knock you out senseless.
Just for comparisons’ sake, Equifax, a US credit score rating agency, suffered a massive data breach earlier this year that went 3 months before being discovered. Even after it was discovered, it took almost 3 months, and over 8 weeks worth of investigations before disclosing it to the public. That is just one company – which had to deal with only one possible source of the data breach.
As we mentioned earlier, a data breach of this magnitude is not something anybody anywhere is prepared for. There is no set precedent to refer to, no standard operating procedure to adhere to, and with no prior training in dealing with a data breach – everybody involved is doing their best to get to the bottom of this.
The Malaysian National Registration Identity Card
Unlike a lot of other data breaches in the past, the Malaysian data breach closely resembles the Equifax breach because it involves personal identification numbers that are unique to each person.
Unlike the Yahoo or eBay breach which involved email addresses, which can be easily changed, the same can’t be said for the Malaysian data breach. Unique MyKad numbers, phone numbers as well as addresses were also leaked out, and herein lies a very big problem for every Malaysian concerned.
The Malaysian MyKad is a permanent number attached to every individual, and the numbering format is utilizes is severely flawed.
MyKad Numbers from the 1990’s
While the chip-based MyKAD that was introduced in 2001 is still one of the best identification cards around, the numbering format that it utilises isn’t.
The MyKad numbering format that is currently used was introduced back in 1990. Yes, 1990, when mobile phones looked like a construction brick , computers took 10 minutes to boot, and when the world wide web as we know it today didn’t even exist.
Back then, it was perfectly understandable to have so much information included in the MyKad number, in plain text. Databases was an alien language, and data breaches was as far away as Mars.
In today’s data driven world however, not only does it not serve its original purpose, it also reveals way too much information about a person, just from this set of numbers.
In the case of the recent data breach, aside from the leaked data which includes the name, MyKad, address and phone number, the MyKad number will also reveal the birthdate of the individual, age, place of birth, as well as gender. That’s a whole lot of information that can be easily abused.
Put a whole bunch of Malaysian MyKad numbers in an Excel sheet, and you will be able to easily sort the owners out either by gender, date of birth, age, and place of birth. Fantastic if you’re a marketer targeting an age group, or gender, or location of a potential customer.
Worse, some banks and financial institutions still use date of birth as a security question.
There are only 3 random numbers in the MyKad, which in itself doesn’t actually hold any kind of checksum. According to the National Registration Department (JPN), these numbers are generated automatically by their computer systems.
The case for new MyKad numbers
The massive data breach could be a blessing in disguise. Everybody could use a new updated MyKad number – with a new more secure number format. Not only will the new MyKad number contain less information and ensure better privacy, it will also put a massive dent in anybody who tries to take advantage of the leaked data obtained from the data breach.
A checksum based alpha-numeric number will go a long way in protecting user privacy, and at the same time ensuring the validity of MyKad numbers. We don’t have to go far to see a similar system to generate unique NRIC numbers based on a checksum algorithm as it is already being used in Singapore.
While the Singapore checksum algorithm has been reverse engineered, it is not entirely impossible to come up with an even better algorithm for Malaysian MyKad numbers. If required, the date of birth as well as place of birth and even gender can be retrieved from the actual MyKad number based on a secret algorithm that is shared only with agencies authorized to handle the data.
The chip-based MyKad will still remain the same, just the numbers will be changed. The MyKad that every Malaysian currently owns only has a lifespan of 10 years, and a data retention life of 20 years – so you will eventually need to change it at some point or another.
Share your thoughts with us in the comments boxes below, and we will update the article with any ideas which we feel could further strengthen our call for new updated MyKad numbers.