Website offering personal data allegedly obtained from JPN and MySejahtera surfaces online

Malaysia has seen a rise in data leaks over the past couple of years now, but they had so far been limited to hard-to-find places on the internet. However, over the weekend a Twitter user revealed that a new website had cropped up on the open internet that allowed anyone to look up the personal details of almost any Malaysian.

Twitter user @Radz1112 had tweeted out that there’s an open source intelligence tool on the internet that can apparently let you search for the personal details of any Malaysian, such as their MyKad number, their address, voting details, phone number, vehicle ownership history as well as their JPJ and police summons history. Radz1112 claims that the website was using the same JPN database that leaked out a few weeks back.

Most of this information will require you to create an account with the website and fork up some fees, which can get you stuff like their MySejahtera information too. Reports from Says also indicate that you could unlock additional details of Malaysians from as low as USD1.50 (RM6.63); you’ll have to pay that much to get the name and carrier information for a specific phone number. When you create an account on this website, you can also upgrade the membership tier, with the highest tier costing USD10,000 (~RM44,185). Higher tiers also apparently gave you an option to ‘remove my account information from the database’.

According to Radz1112, he stumbled across this website after going through the local open source intelligence community here and found a suspicious Twitter account. This account had seemingly been dormant since 2011, but suddenly began tweeting about this website, which Radz1112 says could have been an advert for the site. He then tried to look up the site for more details, but found that most of the information about the people behind it had been redacted for privacy. Looking it up further, we found posts about it in online forums dating back to at least 7 June 2022.

The site would later be taken down around evening on 12 June 2022, with no information as to who took it down. Nevertheless, it’s safe to say that even though the website no longer exists, it’s quite worrying to know that there are individuals out there with the personal details of millions of Malaysians out there. DAP Central Executive Committee member Syahredzan Johan has already voiced concern over the matter, stating:

“I checked the site, and while detailed data requires registration and payment, the personal data seem to be there. It is very, very worrying. The authorities must take this matter seriously. Clearly there is a previous data leak(s?) since this information is in the open already,” – Syahredzan Johan

This is just the latest issue in a series of worrying news over Malaysia’s data security, as just last month multiple data breaches surfaced online. There was an incident surrounding the MITI website inadvertently leaving their servers for the PIKAS program open online, as well as the personal details of over 22.5 million Malaysians surfacing online for sale.

However, the Home Affairs Minister Dato Seri Hamzah Zainuddin would go on to deny claims that the data leak originated from the National Registration Department (JPN). The Defense Minister Datuk Seri Hishammuddin Hussein also claimed that there was no need to worry as he was confident in the country’s relevant intelligence agencies. While he perhaps was trying to alleviate concerns, it’s now clear that the authorities need to step in and address our cybersecurity woes sooner rather than later.