Earlier this year, we had reported that a data breach had apparently occurred at the Election Commission, resulting in a database containing the details of over 800,000 Malaysians being sold online. It’s now been over half a year since that breach was listed, but it seems that it’s still being available online.
Camnelah hackers ni boleh dapat semua data Pengundi dari database SPR ni.
— Faisal Rahim (@acaiijawe) November 9, 2022
Maklumat lengkap siap nama, IC, nombor telefon, email dan alamat. Tak cukup dengan tu, ada gambar IC dan selfie sekali!
Murah plak tu harganya 😭. Kasihan kita semua.
Harap ini semua palsu. pic.twitter.com/y9A107q1FT
1. Selfies and myKad images of 800,000 Malaysians are being sold online at a well-known database marketplace.
— The Futurizts (@TheFuturizts) November 11, 2022
The data is apparently sourced from the mySPR system, a website for Malaysians to register themselves as voters online. pic.twitter.com/J1zAmIAaGG
This data contains pictures of Malaysian identification cards, names, email addresses, phone numbers, birthdays, addresses and even selfies of these Malaysians holding up their IC cards. There’s a total of 802,259 Malaysians involved, with 67GB of data in total. The seller is asking for USD2,000 for this database, to be paid via cryptocurrency. This data was allegedly sourced from the MySPR website; this was where you’d go to register as a voter prior to the implementation of automatic voter registration.
For context, when Malaysians wanted to register as a voter online back then, you would use the MySPR Daftar system. This required users to include their personal details along with a picture of their identification card and a photo of them holding it up to the camera for electronic Know Your Customer (eKYC) purposes. It’s no longer being used for voter registration, but the MySPR system still exists for some reasons such as for changing their voting address, or to register for postal voting.
Now despite being first listed online in April, the listing is still live, with the seller keeping the thread alive as recently as this week. It’s certainly quite worrying to see this, especially considering that when the data breach was first made known so long ago. The concern is is not only does the perpetrator and anyone who buys this database have access to the details of Malaysians and their identification number, but also an eKYC image of them holding up their IC which can be abused by these bad actors to apply for products and services without them knowing.