Malaysia faced possibly one of its largest telco data leak ever back in 2017. Lowyat.net reported that over 46 million users had their data compromised, and that someone was trying to sell the information for an undisclosed amount of Bitcoin.
Today, Nuemera–the company that provides the public cellular blocking service (PCBS)–claims that the police have cleared them of any wrongdoing in a letter that was issued to them through their lawyer Nuemera quotes that the Royal Malaysian Police (RMP) said:
“To date, the result of the investigation revealed that there was no evidence that Nuemera (M) Sdn Bhd, as well as its staff was involved in the leak or sale of data on the Internet”
According to Nuemera, the company provided their fullest cooperation to the investigations that was led by the Royal Malaysian Police which commenced in October of 2017. This data breach involved multiple parties including the Malaysian Communications and Multimedia Commission (MCMC), Nuemera and several telecommunications companies.
The data breach included information like postpaid and prepaid phone numbers, customer details, addresses, and SIM card information including IMEI and IMSI numbers. In addition, three databases belonging to the Malaysian Medical Council (MMC), the Malaysian Medical Association (MMA) and the Malaysian Dental Association (MDA) were leaked.
When MCMC launched the PCBS in February of 2014, the intention was to provide a service that allowed stolen phones to be blocked from making calls, texting or accessing the Internet. Because of the kind of information that was stolen, it seemed logical that the source of the breach would have come from the PCBS. However, Nuemera says that they took the RMP’s letter to them as affirmation that there has been no evidence that the data leaked on the internet originated from them or the PCBS.
Additionally, they clarified that despite the “some media” reports indicating that they were terminated by the the MCMC, Nuemera is in full compliance and have fulfilled all obligations as per their contract with the MCMC. However, Nuemera states that as there are “contractual disputes” pertaining to the same, MCMC and Nuemera have mutually agreed to refer the matter to the Asian International Arbitration Centre (AIAC) and are unable to comment further.
This comes following a parliamentary written reply that the ministry made in reply to a question by Lembah Pantai MP Fahmi Fadzil about how personal data for the 46.2 million mobile phone accounts could have been leaked. The reply reads:
“On May 21 last year, MCMC issued a notice to Nuemera based on the Commission’s decision not to renew the Public Cellular Blocking Service (PCBS) agreement for another five years as per the option within the contract agreement.”
But, with all of this said and done, the question still remains: How did the data leak? What is the next course of action to find the perpetrators of this massive breach?