UPDATE [16 SEPT / 6:35PM]: The Accountant General’s Department of Malaysia has released a statement in regards to the alleged ePenyata Gaji’s data breach. Check out our report right here for more details.
ORIGINAL STORY [15 SEPT / 11:50 PM]:
An unidentified organization has claimed that it has managed to identify vulnerabilities within the ePenyata Gaji which is the salary data system for Malaysian civil servants. In addition to that, the organization has also claimed that it has managed to breach the system and obtain a significant amount of data from the system with the help of security vulnerabilities.
According to the statement from the group which was published by Sin Chew Daily, among items that it claimed to have obtained from ePenyata Gaji is a database in JSON and CSV format which has more than a million rows of identities. Among the information that’s apparently contained within the database includes full name, MyKad number, position, department, pay slip number, mobile phone number, and e-mail address.
Furthermore, the group also claimed that it has extracted almost two million pay slips and tax forms in PDF format with a total file size of 188.75GB. SinChew noted that it has sighted several screenshots that the group has attached in its statement that include pay slips of several notable politicians such as Finance Minister Tunku Zafrul, former Deputy Finance Minister Ahmad Zahid Hamidi, and former Speaker of the Dewan Rakyat Mohamad Ariff Md Yusof.
In the statement, the group also claimed that it has reached out to the Malaysian government via e-mail on 7 September. The e-mail was apparently sent to several high-ranking officials such as Chief Secretary Mohd Zuki Ali and Chief Security Officer Rahimi Ismail as well as the Auditor General’s office.
The group noted that the government was given until 12 September to respond but nothing happened. Hence, the group now plans to sell all the items that it has extracted from ePenyata Gaji on several well-known database marketplaces starting from 19 September onwards.
Here is the redacted version of the full statement from the so-called grey hat group:
While we have no means to verify any of the claims above since we did not receive the statement ourselves, the timeframe that was mentioned in the group’s statement did match the recent maintenance activities that were deployed on ePenyata Gaji though. It is unclear when exactly they took place, but they were noted on the National Audit Department’s Facebook page on 9 and 13 September.
In fact, the ePenyata Gaji’s site was indeed down when we visited it at 8:40 PM today although it was already up again when we visited it two hours later.
Meanwhile, this case is already under investigation by the police, according to Sin Chew’s report. That being said, there is no official statement from the authorities so far which may not bode well for civil servants out there given how their personal data could be easily misused if this data breach did happen.