[UPDATE – 5 May 2026, 4:03pm]
OCBC has since responded, stating that the alleged data breach claims are untrue and that all customer data remains secure. Below is the official statement that was shared with us:
We are aware of the recent online reports alleging that our customers’ data have been released on the dark web.
Our Technology Information Security Office team has completed its investigation and verified that the data in question are fabricated and are not our customer data.
We assure all customers that their data remain secure. Customer information is our top priority; we enforce stringent security controls and continuous monitoring to keep data protected.
We will continue to monitor the situation closely and remain vigilant.
[UPDATE – 5 May 2026, 4:50pm]
UOB has commented on the matter and also denied that their database has been breached. Their statement is as follows:
UOB Malaysia is aware of an online speculation about a possible breach of its customers’ database. The Bank wishes to state clearly that these claims are false, and there has been no breach of customer data and our systems remain safe. At UOB, we take the security and confidentiality of our customers’ information very seriously and continue to monitor our systems closely to ensure they remain secure.
With this, both banks have since refuted the data breach claims, stating that no such incidents have occurred and that customer data remains secure. Nevertheless, users are advised to remain vigilant.
[Original Story – 5 May 2026, 2:25pm]
Two local banking institutions, OCBC Bank and United Overseas Bank (UOB), are reportedly linked to alleged data breach incidents, according to posts shared by the Dark Web Intelligence account on X. The claims originate from a cybercrime forum, but as of now, neither incident has been independently verified and both banks have yet to issue official statements.
The first claim involves OCBC Malaysia, where a threat actor alleges possession of a dataset containing sensitive information. Based on a sample shared in the forum post, the data may include phone numbers, email addresses, banking-related details, passport information, national ID numbers such as MyKad, business registration records, and driving licence data. The sample reportedly contains structured entries and references to OCBC Malaysia domains.
If the OCBC-related claims are proven legitimate, the potential exposure of both financial and identity data could pose significant risks. These include financial fraud, account takeovers, identity theft, and more targeted attacks such as phishing, social engineering, and SIM-swapping.
A separate claim targets UOB Malaysia, though the available information appears far more limited. The alleged dataset sample reportedly only includes basic fields such as the bank’s name, account numbers, and timestamp entries labelled “first_seen.”
Unlike OCBC’s case, there is no indication of customer identity data, transaction histories or a complete dataset structure. Given the lack of detail, the UOB-related claim may involve synthetic data, previously exposed information, or a misrepresented dataset with limited value.
As highlighted by Dark Web Intelligence, both claims remain unverified and should be treated with caution. We have reached out to both OCBC and UOB for comment regarding these allegations.
In the meantime, users are advised to monitor their bank accounts for any unusual activity, enable multi-factor authentication where available, and remain cautious of unsolicited communications claiming to be from either bank. They should also avoid sharing sensitive information, including one-time passwords or login credentials, particularly via phone calls or email.
