[ UPDATE 18/05/2022 18:47 ] Alleged data breach of 22.5 mil Malaysians didn’t come from National Registration Department says Home Minister.
There appears to be a potential data breach at two Malaysian government agencies as an online individual claims to be selling personal data of over 22 million Malaysians on an online forum. The seller claims to be the same party behind last year’s sale of personal data belonging to 4 million Malaysians.
JPN database containing 22.5 million Malaysians
The first database on sale allegedly contains 22.5 million records obtained from the National Registration Department (JPN)’s MyIdentity APIs. Apparently, the database covers the entire adult population in Malaysia who are born between 1940 to 2004. The records contain not just the full name, but also IC, mobile number, full address, gender, race, religion, and the photo in the IC.
To provide proof that the data is legit, the seller also provided a sample record belonging to Home Affairs Minister Dato Seri Hamzah bin Zainudin. Also attached is his IC photo which matches the Minister. The entire database is 160GB in size and it is selling for USD 10,000 (about RM43,903).
Data and eKYC photos of 800,000 Malaysians obtained from SPR
A couple of weeks before that, the same seller posted an offer to sell a database allegedly containing information of 802,259 Malaysians obtained from the Election Commission (SPR)’s website. The personal details aren’t the worst part as the seller is also selling actual photos of IC as well as electronic Know Your Customer (eKYC) images of people taking selfies while holding their IC.
Looking at SPR’s website, these images are used for verification purposes when registering as a new voter. The whole database including the eKYC photos is 67GB in size and they are selling it for USD 2,000 (about RM8,780).
These leaks continue to raise concerns about the cybersecurity of government agencies. The personal data of Malaysians could be misused for potential scams and phishing attacks by syndicates as the database contains contact number, IC number, and full addresses.
With the extra eKYC photos allegedly obtained from the Election Commission, Malaysians could be potential victims of identity theft. The IC and verification selfies can be misused to apply for products and services without their permission.
Last year, Datuk Seri Hamzah Zainudin said the National Registration Department confirmed there were no data leakages following reports on the sale of personal data belonging to 4 million Malaysians. He said the firewall of the data security control system was very secure and all information is protected.