The technology news site said the leak included postpaid and prepaid numbers, customer addresses as well as sim card details from all major operators including DiGi, Celcom, Maxis, Tunetalk, Redtone and Altel.
“Time stamps on the files we downloaded indicate the leaked data was last updated between May and July 2014 between the various telcos,” Lowyat.net said.
The site said it was convinced that the person who tried to sell the personal data of millions of Malaysians to it two weeks ago had acquired the information in the similar way they did, and was attempting to flip it for a quick profit.
“We have shared all details regarding the data that we uncovered, as well as how we managed to obtain all the data with the MCMC last week.
“The MCMC are following up with the relevant agencies to determine the source of the breach, but we now believe that the data was already being traded online much earlier than we first estimated. Based on the condition of the files that we obtained, we are quite certain that it has already changed hands more than once,” Lowyat.net added.
The report also confirmed that databases of the Malaysian Medical Council (MMC), the Malaysian Medical Association (MMA) and the Malaysian Dental Association (MDA) were also compromised.
“We first highlighted about this data breach on 19th October, and we are extremely concerned that no remedial action has been taken by the service providers involved to protect those that have been affected by the breach.”
Lowyat.net said while it is the responsibility of the authorities to narrow down the source of the breach, it was more important to mitigate the damage and take steps to protect those who may be affected by the breach.
“We are urging the telcos and MVNO companies mentioned above to alert and start immediately replacing the sim cards of all affected customers, especially those who have not updated their sim cards since 2014.
“While the leaked data alone isn’t sufficient to clone the sim cards, the information available can be exploited to initiate multiple social engineering attacks against affected users,” it said.
The site said that it has currently encrypted and stored all the said data in a single location, and will destroy it by this Friday at noon.
Lowyat.net then urged data owners to contact them if they require the said leaked data.
News about an alleged leak was made public in a report titled “Personal data of millions of Malaysians up for sale, sources of breach still unknown”, published on the popular technology news site on October 19.
The report claimed that the personal data of millions of Malaysians from the databases of an online recruitment portal and medical associations, as well as over 50 million records of customer data from various telcos, were up for sale online. The information taken from telcos reportedly included customer names, billing addresses, mobile numbers, and identity card (IC) numbers.
The article was removed under Malaysian Communications and Multimedia Commission’s (MCMC) instructions on October 19 soon after it was published. The regulator later explained in a statement that the order to take down the report as a “preventive measure”.
Lowyat.net then restored the original article on October 20 with MCMC’s approval.