Technology website Lowyat.net reportedly discovered a huge Malaysian data breach that saw millions of people have their personal data stolen and leaked on the dark web.
The information was apparently taken from multiple Malaysian mobile phone operators, as well as the Malaysian public sector and commercial company websites.
With over 46 million confirmed records breached, this is one monumental data incident.
The mobile operators affected are said to be:
| Maxis | DiGi | Altel |
| Celcom | EnablingAsia | Friendimobile |
| MerchantTradeAsia | PLDT | RedTone |
| TuneTalk | Umobile | XOX |
The leaked information from the mobile phone operators reportedly included:
- Mobile numbers
- Unique phone serial numbers
- Sim card numbers
- Home addresses (for billing)
- Imsi numbers
The huge amount of information breached meant it has been difficult to know when the breach occurred. It may have happened anywhere from 2012 to 2015. There could have also been more than one breach, with the plunder merged into one giant database.
Lowyat.net was the first to find out when it was informed that someone was trying to sell on huge amount of personal information in exchange for Bitcoin on their forums.
Recruitment company JobStreet was also reportedly hit by the breach. Its leak contained almost 17 million rows of candidate information including their names, login details, hashed passwords, email address, nationalities, addresses and telephone numbers. Lowyat.net notes that the JobStreet breach may have happened between 2012 and 2013.
Personal data was also reportedly stolen from:
- Malaysian Medical Council
- Malaysian Medical Association
- Academy of Medicine Malaysia
- Malaysian Housing Loan Applications
- Malaysian Dental Association
- National Specialist Register of Malaysia
The personal data stolen from the various authorities above is thought to have included personal details, IC numbers, home addresses and mobile phone numbers. These sets of personal data is believed to have been taken between 2014 and 2015.
The massive spreadsheets of stolen data is incredibly unsettling. The large number of affected mobile phone operators and government departments may indicate a major flaw in cybersecurity and data protection protocols. The source of the breach has still not been confirmed.
The Malaysian Communications and Multimedia Commission is investigating what may be the biggest data breach in Malaysian history. Lowyat.net has said it will commit to removing and preventing all illegal sales made on its forums, though it notes that the same stolen data is probably being advertised across other channels. The website warns against the illegal sale of stolen data and warns that perpetrators can be punished by law.
With the nature of digital information, copies of the information may have already been sold on multiple times to companies who make direct marketing calls and emails. In the U.K., this is illegal unless the person or organisation who controls the data has first sought consent from recipients to allow them to make such calls and emails for marketing purposes.