It appears that there’s a potential data breach at the National Registration Department (JPN) as a database containing close to 4 million Malaysian citizens has been put on sale through an online forum. According to the seller, the data was freshly obtained from Jabatan Pendaftaran Negara and hasil.gov.my (Inland Revenue Board) through the MyIdentity API.
The database consists of 19 files in JSON/CSV format with a total size of 31.8GB. The person alleged that the current list contains details of individuals born between 1979 to 1998. The list includes personal details such as name, email, mobile number, permanent address, gender, IC number, race, religion, and even photos stored in base64 string.
The seller is asking for 0.2 Bitcoin (BTC) for the full list which is about RM35,000. Some interested buyers were asking for data narrowed down to selected cities but the seller prefer to sell the list in bulk.
At the time of writing, the MyIdentity portal is currently inaccessible. Launched in 2012, the platform was meant to make it easier for citizens and permanent residents to access and update their personal information when dealing with government agencies online. A total of 10 agencies were involved in the pilot project which includes National Registration Department, Malaysian Immigration Department, Road Transportation Department, Inland Revenue Board, Election Commission, Education Service Commission, Social Welfare Department, Labour Department of Peninsular Malaysia, National Higher Education Fund Corporation, and Royal Malaysian Police.
When another user asked for proof of authenticity, the seller shared personal details of a popular local celebrity based in Kuala Lumpur. The database appears to be legit as the image matches the actual person.
This potential data breach raises concerns about the security of the government’s online platforms especially when it involves the National Registration Department. Not only it exposes important details of Malaysians but the data can be misused for potential scams and phishing attack.
Under the MyDigital initiative, Malaysia aims to move 80% of public data to hybrid cloud systems by the end of 2022. In order to build trust, it is important for the government to strengthen cybersecurity for its platforms and to ensure resilience towards potential cyber-attacks.