Following a recent report that personal data belonging to 22.5 million Malaysians were put up for sale, Malaysia’s Home Affairs Minister Dato Seri Hamzah Zainudin denies that the data came from the National Registration Department (JPN). He said the Home Affairs ministry will investigate the individuals behind the sale of personal data.
• Isu tular penjualan 22.5 juta data peribadi rakyat Malaysia dalam talian disahkan bukan milik JPN— BERNAMA TV 🇲🇾 (@BernamaTV) May 18, 2022
• KDN akan panggil, siasat individu terlibat tular isu penjualan 22.5 juta data peribadi rakyat Malaysia
— Menteri Dalam Negeri Datuk Seri Hamzah Zainudin pic.twitter.com/FiN27A7oYH
There are no further details at the moment and there’s also no mention of a separate sale of personal data and eKYC photos which allegedly came from the Election Commission’s voter registration site.
To recap, an individual had offered to sell a database of 22.5 million Malaysians which claimed to be obtained via JPN’s MyIdentity API. The 160GB database claims to cover all Malaysian adults who were born between 1940 to 2004. The sale was posted in an online forum that acts as a marketplace for leaks and the seller claims to be the same party behind last year’s sale of data involving 4 million Malaysians.
To provide proof that the database is legit, the seller even provided sample data belonging to the Home Minister itself. The record contains the full name, address, date of birth, gender, IC number, race, religion as well as the photo in the IC.
Following the report of last year’s database sale, Hamzah said in September 2021, there was no data leakage of personal data from JPN. He said this was because the firewall of the data security control systems was very secure and all information is protected. He said his Ministry has always ensured the security and integrity of data of Malaysian are assured under JPN.
According to a report by The Star, Hamzah said there are 104 agencies that are permitted to use the MyIdentity data. MyIdentity serves as a data-sharing platform that’s used by various government agencies and it was set up in 2012.
Despite JPN lodging a police report and investigations being carried out by various government agencies, there were still no clear answers about the data leak and what steps were taken to prevent such incidents from reoccurring.
Even if the source is not directly from JPN, the type of data collected is still a huge concern as it can be misused for scams and phishing attacks. At the moment, most Malaysians would have probably received a scam call impersonating officials from Inland Revenue Board, banks, police, and courthouses.
With the additional leaks involving IC verification selfies allegedly obtained from the Election Commission, it continues to raise concerns if government agencies are doing enough to keep our personal data safe. These eKYC photos can be potentially misused to sign up for financial services without the person’s knowledge.