Organ or tissue donation is a noble practice, one that has not exactly picked up in Malaysia. In fact, according to this report, Malaysia has one of the lowest percentages of pledged organ donors in the world. And now, that number might just shrink a little more.
We can confirm, that files containing complete details of pledged organ donors has been leaked online as early as September 2016. The data contained in the file is updated up to 31st August 2016, and contains the following details of organ pledgers.
|Pledger Code||Next of Kin Name|
|Donor MYKad Number||NOK Relationship|
|Donor Full Name||NOK Address|
|Donor Old IC||NOK Phone (Home/Mobile/Office)|
|Donor Date of Birth||Organs to Donate|
|Donor Age||Source (Location Registered)|
|Donor Race||Date Submitted|
|Donor Address||Donor Email|
|Donor Phone (Home/Office/Mobile)|
The fields are similar to this online sign up form found at http://dermaorgan.gov.my, however we are fairly certain that the leaked data does not originate from the online form – which in itself doesn’t appear to be working at time of writing. The leaked data contains sign up data from Government Hospitals as well as National Transplant Resource Centers across the country – which would mean that its has been retrieved from a central database.
As noted in the screenshot below, the files were dumped on the 19th of August 2016, and uploaded online to a popular file sharing service on the 29th of September the same year.
The data dump is divided into files, by year of sign up – from 1997 till 2016, however, for reasons we are not able to ascertain, all data from 1997 to 2008 is filled with auto generated dummy data, rendering them useless.
The data dump from January 2009 to August 2016 however contains complete personal details of around 220,000 individuals who have signed up as organ donors, as well as personal details of their next of kin.
Aside from the personal details of all pledged organ donors, the dump also includes yearly breakdown of demographic data of all organ pledgers, broken down by sex, race, state of origin, types of organs as well as age group.
While the total number of records of this leak is nowhere near the massive amounts of data leaked in the mobile telco data breach that we reported back in October 2017, this leak contains one very serious implication where it reveals personal information of a nominated next of kin. This doubles up the actual number of records leaked to 440,000, and also links two individuals to each other in a binding relationship – whether it may be husband/wife, siblings or parental.
Aside from the usual risks associated with data breaches, the presence of relationship data between two individuals also increases the risks of malicious social engineering attacks against the victims.
We have already reached out and notified the PDP of this data leak before publishing our findings. We are also once again calling out to all organizations who handle personal data to ensure that they exercise due care and diligence in ensuring the safety of the data that has been entrusted to them.
Note: The disclosure above is part of a bigger data breach that we believe was leaked online between September and November 2016. Fortunately, the rest of the breach, which involves a number of Malaysian organizations, did not involve any personal data. Due to that reason, we will not be disclosing the details here, and will be leaving it in the hands of the relevant authorities to follow up on.
Featured Image Credit : The Star Online