The Royal Malaysian Police have opened an investigation paper on the alleged security breach involving personal data of nearly 4 million Malaysians. An individual had recently posted on a forum that a database containing names, addresses, phone numbers, IC numbers and photos is up for sale for 0.2 BTC (about RM35,000). It was alleged that the data was obtained from the National Registration Department (NRD) and Inland Revenue Board (IRB) through MyIdentity API.
Bukit Aman Commercial Crime Investigation Department director Datuk Mohd Kamarudin Md Din said that an investigation was launched after the NRD’s deputy director had lodged a police report at Presint 7 police station in Putrajaya yesterday. The police are obtaining a report from the NRD’s information technology division and they will inspect systems of both NRD and IRB to determine the source of the alleged leak. The case will be investigated under Section 4 (1) of the Computer Crimes Act 1997.
According to the CCID director, they do not rule out the possibility of the involvement of insiders and they are conducting a thorough investigation with the Malaysian Communications and Multimedia Commission, CyberSecurity Malaysia and National Cyber Security Agency (NACSA). The police are also taking necessary action to stop the sale of the database to prevent the situation from becoming worse.
The IRB has released a statement today denying reports of security breach on their website through the MyIdentity API. It clarified that IRB is merely a user and they do not own the MyIdentity system. It added that internal checks revealed that there’s no breach of information or leak as alleged and they are working closely with the NRD, NACSA and National Security Council to look into all possibilities of the allegation.
The statement also said that they regretted the allegation as it may erode public trust on their data security. They also urged users to be careful about sharing such reports which could be created by certain irresponsible parties with the intention to confuse and mislead the public. It assured that all personal data stored by the IRB are safe and protected with certified data security technology.