Are you one of those, whose personal data has been leaked on to the dark web?
Are you aware that the stolen information included mobile numbers, unique phone serial numbers, home addresses, IC numbers, house details and more?
Did you know that personal information (yours) from many Malaysian public sector and commercial websites were stolen and that the information was going to be sold for an undisclosed amount of Bitcoin?
Many Malaysians are probably unaware of the seriousness of this data breach, or have not heard about it.
The Malaysian Communications and Multimedia Commission (MCMC) and police are investigating this massive data breach, and yet, information is hard to come by. Perhaps, I missed something, but do you know the latest update?
Are you worried?
Maybe you think that no one can use your personal information.
What would you do, if you were to receive a letter, urging you to service your house loan and threatening the seizure of your house, but know that you have not obtained a loan?
How would you react, if you were to go to the polling booth, only to find that you are registered to vote at a polling centre, in another state?
Wouldn’t you be livid, if you found that your account has been emptied, because a “new” credit card in your name, had been used on a spending spree?
You should be very worried because the personal data that was stolen could be used by criminals to commit identity theft.
The MCMC and police are poor about giving regular updates on this data breach. This is not good.
When and how it happened.
Two months ago, Lowyat.net alerted the MCMC about the theft of personal and sensitive information, but the MCMC did not respond.
Shocked by the MCMC’s lack of response, Lowyat wrote an article about the data breach, and published it on their website, on 19 October, to alert Malaysians.
The article was called, “Personal data of millions of Malaysians up for sale, sources of breach still unknown”.
It wrote that unidentified individuals, had used the public forum on their site, to try to sell personal details of around 50 million phone subscriptions. The information came from various telcos and included customer names, billing addresses, mobile phone numbers, sim card numbers, handset models and MyKad numbers. The breach was probably between 2012 and 2015.
Another data breach included 17 million rows of customer information from a jobs portal. This identified the candidate’s name, login name, hashed password, email address, nationality, address and mobile phone number. This breach was probably between 2012 and 2013.
In addition, there were two sets of data from the Malaysian Medical Council, Malaysian Medical Association (MMA), Malaysian Dental Association, and housing loan applications.
The doctors’ data included MyKad numbers, address and mobile phone numbers. The housing loan application data contained information such as name, MyKad number, contact number, email address, blacklist status, address, job, employer, salary and spouse’s details.
Two hours after posting the article online, the MCMC ordered its removal. Reluctantly, Lowyat’s administrators agreed, but replaced the post, with the message: “MCMC has requested the removal of this article. We are still awaiting a statement from them”.
The order from the MCMC was wholly irresponsible, and will alarm those who were affected.
Malaysia’s worst data breach
Both the Multimedia and Communications Minister, Salleh Said Keruak, and the MCMC chief operating officer, Mazlan Ismail, have acted irresponsibly.
In 2013, the MCMC commissioned Nuemera Sdn Bhd to manage a service called the Public Cellular Blocking Service (PCBS), to deactivate mobile phones, which were reported to have been stolen.
Both Keruak and Mazlan have declined to confirm or deny the link between the PCBS and the theft of personal information of 50 million phone subscriptions. The data breach probably occurred in 2014.
On 1 November, Keruak said, “We have identified several potential sources of the leak, and we should be able to complete the probe soon”; a month later, the IGP, Fuzi Harun, said it was possible that the breach “occurred after staff from a company tasked with transferring the data took advantage of the situation”.
In response to the data breach, local tech blogger, Keith Rozario, set up the website sayakenahack.com, to enable people to find out if they had been hacked. MCMC later blocked the site. Why?
If the MCMC is being obstructive, then it should contact, by mail, everyone whom personally identifiable information had been stolen. It has the resouces to do all this.
Perhaps, those who suspect and know their security details have been stolen, should sue the MCMC for the abrogation of its responsibilities.
In first world, and high income nations, Keruak and Mazlan’s positions would be untenable and they would be fired.
Do find out if your personal details were stolen
[amazon_link asins=’B01LW1VU9E’ template=’ProductCarousel’ store=’mariammokhtar-21′ marketplace=’UK’ link_id=’fe10692e-e916-11e7-bae7-0f261b000616′]