It was reported that yesterday, a database leak that contained four million data entries belonging to Malaysians was put on sale for RM35,500 at a well-known marketplace forum. The leaked database reportedly involved the National Registration Department (JPN) as well as the Inland Revenue Board (LHDN).
The seller claimed that the data was from JPN but acquired through LHDN’s website using myIDENTITY’s API and it was listed on the marketplace for 0.2 BTC.
LHDN has now since issued a statement and refuted the claim that its website was the source of the database leak and insisted that it was merely just a user of myIDENTITY but does not own the platform.
In their statement, they insisted that all of the data and information under its custody is safe and protected by “recognised data security technology”.
Furthermore, the board revealed that its own internal investigation showed that there was no leak of data and information at its end. They are currently working together with JPN, NACSA, and the National Security Council to go through all the possibilities in regards to the said database.
It was also reported by BERNAMA that the Royal Malaysian Police (PDRM) have begun to investigate the database leak. According to the Director of PDRM’s Commercial Crime Investigation Department, CP Mohd Kamarudin Md Din, a police report regarding the incident has been filed at Putrajaya by the Deputy Director of JPN and the case is currently being investigated under Section 4(1) of Computer Crimes Act 199.
CP Kamarudin said that a thorough investigation will be carried out in collaboration with the Malaysian Communications and Multimedia Commission, CyberSecurity Malaysia, and National Cyber Security Agency (NACSA).
PDRM has also reportedly made the first move by attempting to block the sale of the database but the listing appears to still be on the marketplace forum as of 10.00 am today (29 September).
How did this all start?
The issue was first highlighted by local Intrusion Analyst, Adnan Shukor, via a Twitter post. He noted that the important information of Malaysians such as their full name, NRIC number, mailing & permanent addresses, mobile number, and e-mail address were all included as part of the data. To make matters worse, there are also images present in the database which was grouped according to each individual’s birth year, ranging from 1979 to 1998.
The data was said to be in 19 different files and sample images of the database provided by the seller showed the information of about 60 individuals which contained all of their personal information.
The seller which according to their profile is based in, Puchong, Selangor, claimed that the total data is of four million Malaysians which is equal to 31.8GB. They also claimed that it was leaked via myIDENTITY API, which is essentially the national data-sharing platform for the public sector that allows government agencies to obtain one’s personal details from a centralised repository. 10 agencies including both JPN and LHDN are currently linked to the platform which first went live in June 2012.
Worryingly enough, there have been a number of inquiries to the listing by potential buyers.
We hope that the listing gets brought down promptly and that a complete investigation is conducted on how the database was leaked in the first place. Let us also do our part to keep our data safe from potential leaks such as this.
What do you think of this? Let us know in the comments.
Also read: Here’s How To Find Out If Your Personal Data Was Exposed In An Online Breach