When Defence Minister Datuk Seri Hishammuddin Hussein was asked about the recent breach of data belonging to 22.5 million Malaysians, he says that it “does not jeopardise national security”. But what is the government doing to keep our personal data safe?
What was the breach?
We reported on 17 May that there was a potential data breach at two Malaysian government agencies. An online individual claimed to be selling personal data of over 22 million Malaysians on an online forum.
The first database on sale allegedly contains 22.5 million records obtained from the National Registration Department (JPN)’s MyIdentity APIs. The database apparently covers records of full names, IC numbers, mobile numbers, full addresses, gender, race, religion, and the photo in the IC—of the entire adult population in Malaysia born between 1940 to 2004.
For the second database, the same seller posted an offer to sell information of 802,259 Malaysians obtained from the Election Commission (SPR)’s website. The information bank allegedly includes actual photos of ICs as well as images of people taking selfies while holding their IC.
The seller even provided “proof of legitimacy” by sharing sample data belonging to the Home Minister Dato Seri Hamzah Zainudin himself. The record contains the full name, address, date of birth, gender, IC number, race, religion as well as the photo in the IC. The first database is being sold for USD 10,000 (about RM43,950), while the second one is being sold for USD 2,000 (about RM8,780).
However, on 18 May, Hamzah Zainudin denied that the data came from JPN.
Is our data safe?
Hamzah Zainudin says that the Home Affairs ministry will investigate the individuals behind the sale of personal data. Investigations are also reportedly being done by various government agencies, and JPN has lodged a police report. But besides that, there is still no clear answer about what’s being done about the data leak.
And after being asked about the leak recently, The Star reports that Hishammuddin Hussein “was confident that the country’s relevant intelligence agencies were prepared for any eventuality arising from the leak”.
“I think that we are equipped, to the best of our abilities… This sort of threat does not jeopardise national security,” said Hishammuddin.
Despite what he said, a huge data break like this one is a major concern. Information obtained from the Election Commission like photos of people holding up their ICs can be potentially misused to sign up for financial services without the person’s knowledge. The data can also be misused for scams and phishing attacks.
In March, it was reported that more than 50,000 online fraud cases were reported in Malaysia between 2019 and 2021—involving a total loss of RM1.61 billion. Wikileaks, which exposed confidential data of the US government, has also been described as a threat to national security by CIA director Mike Pompeo. Like the personal data of Malaysians—once the data is out, the damage is irreversible.