EXCLUSIVE: Massive amounts of personal details belonging to Academic and Non-Academic staff of Universiti Malaya were dumped online earlier today. Also leaked was close to 24,000 login id’s and hashed passwords – believed to be from UM’s e-Pay online payment portal.
As of June 2019, Universiti Malaya is reported to have 2,013 local and 331 International Academic Staff, as well as 649 Management Personal and 2,877 Support Staff which we believe are now victims of this data breach.
The leaked files, which were uploaded to an anonymous file-sharing site also included backend passwords and database credentials, making it a very real possibility that a lot more data and financial records – even those belonging to the students – might have been compromised.
This first part of the leaked data contained payslip information of Universiti Malaya Academic and Non-Academic staff members, including individual Bank Names and Bank Account numbers. The bank account numbers were matched to Staff Names, MyKad Numbers as well as Staff ID numbers.
The second part was somewhat smaller in size but contained additional confidential information of Employees Tax (LHDN) Numbers, EPF Numbers, Department, Branch Location, Position as well as salary information.
We also can confirm the discovery of close to 24,000 email id’s alongside hashed login credentials inside the second part. We have sufficient reason to believe that these login credentials were part of the E-Pay site which was defaced yesterday.
Earlier today, Universiti Malaya released a statement claiming that no data was compromised when their e-Pay portal was defaced. We in our immediate article after the attack cautioned that the defacement had compromised their own servers, and therefore the likelihood of a data breach was very high.
We are not able to conclusively ascertain if this data breach is directly related to the current issues at Universiti Malaya or if it is was a mere coincidence. While the current issues will be resolved sooner or later, the victims of the data breach will have to deal with the long lasting impact of having their personal and private details exposed.
We have already taken the necessary steps to notify the authorities of the breach before publishing this article.