While earlier today saw reports of a database with the details of 13 million Malaysians being sold online, there was actually another listing on the same online forum for a database that claimed to have 2.7 million entries garnered from the Unifi website, along with admin access to the Unifi website backend.
This is understandably a pretty serious matter, and Telekom Malaysia has since released a statement confirming that they’ve been the victim of a data breach. According to TM, they found that 250,248 Unifi Mobile customers are affected in the data breach that happened, which includes both individual customers as well as small and medium businesses. They add that the type of data leaked involves customer names, phone numbers and emails, and that no other information was breached.
Going back to the database being sold online, it seemed to contain payment details for Unifi Bebas Prepaid plan, which includes customer names, their email address, phone number and the amount they paid to top up their plan. It also seems that the data breach happened relatively recently, as some of the payment details shown off in the listing included payments done as recently as 24 December 2022. A user had asked the seller if the database includes any passwords, and the seller responded no, seemingly corroborating with TM’s statement.
TM adds that the breach has since been contained and that they’ve taken steps to minimise the potential impact to these 250,248 customers. In particular, they have notified the customers affected, and also reported the incident to the authorities. If you’re a Unifi Mobile customer but did not receive a message from TM, then you were not impacted. They also point out that customers won’t be experiencing any service disruptions while they add on further security measures.
You can read TM’s full statement below:
“Telekom Malaysia (“TM” or “the Group”) has been made aware of a data breach (specific to contact information only) on 28 December involving a limited amount of Unifi Mobile customers’ information.
After investigations, TM has found 250,248 Unifi Mobile customers to be affected in this data breach, constituting both individual customers as well as SMEs. The type of data that was breached involved customer names, phone numbers and emails. No other information was breached.
TM confirms that the breach has been contained and have taken steps to minimise the potential impact to these 250,248 customers. The specific customers affected have been notified. Customers who have not received any notification are not impacted. TM has also reported this matter to the relevant authorities (National Cyber Coordination & Command Centre (NC4); Department of Privacy & Data Protection (JPDP); and the Malaysian Communications & Multimedia Commission (MCMC)).
While additional security measures have been put in place to isolate the risk and protect our customers, we wish to inform that our customers did not experience any service disruptions in this incident.
TM is closely monitoring the situation and is conducting additional assessments. We advise customers to take extra precautions when receiving communications from unknown parties, as well as to secure their online information at all times.
The privacy and security of TM’s customers remain our highest priority and we take such matters seriously. We will continue to strengthen and ensure our data security framework, policies, systems and processes are continuously benchmarked against Bank Negara Malaysia’s Risk Management in Technology (RMiT) standard and ISO27001, as well as other global standards to prevent such occurrences.”