KUALA LUMPUR, Dec 31 — Malaysians have been hit with yet another data breach. This time involving a banking institution, multimedia and broadcast agency and a government electoral agency where millions of personal information were said to have been sold online.
In the latest allegation, the leaked databases contain the full names of some 13 million voters sourced from the Election Commission (EC) and customers of Maybank and Astro Malaysia as well as their MyKad numbers, addresses and mobile numbers.
Such incidents have become increasingly rampant in the last two years.
Here Malay Mail lists some of the major data breaches that have happened in 2021 that continues to test the fragility of the nation’s cybersecurity even as the nation seeks to embrace 5G broadband network.
2022
December 30 – Communications and Digital Minister Fahmi Fadzil has put two agencies on the tail of the latest data leak allegation involving some 13 million account holders from Malaysia’s largest bank Maybank, the EC and satellite broadcaster Astro.
The stolen information was posted on a popular online database marketplace where the seller asked interested parties to message them directly through Telegram or use the forum’s direct messaging features to complete the sale.
Lowyat.net reported that a separate listing also existed on the same day where the seller said they had personal database of internet provider Unifi's mobile customers. The seller was asking for US$850 (RM3,752) for the sale.
This latest breach was made public by Twitter user @Xanda whose original tweet is no longer available.
November 28 – Several sources report that an ad was posted on a well-known hacking community forum claiming to sell a 2022 database of 487 million WhatsApp user mobile numbers, of which, 11 million are Malaysian numbers.
The leak includes accounts from 84 countries. According to the source, countries with the highest number of hacked accounts are Egypt with 44,823,547, Italy with 35,677,323, and the US with 32,315,282. Malaysia has the 12th highest number with 11,675,894.
The seller, however, did not specify how they obtained the database. But quite often, massive data dumps posted online turn out to be obtained by scraping — which violates WhatsApp’s Terms of Service.
Meta, the company who owns WhatsApp, dismissed these reports calling it speculative and based on unsubstantiated screenshots.
November 10 – Malaysia's election regulator had its database hacked. The seller of the stolen data claimed to have registered voters’ MyKad numbers, full name, email addresses, passwords and home addresses.
It even had the pictures and identity card numbers of citizens as Malaysia moved towards automatic voter registration. The EC exercise began in 2019. The EC website is still used for updating voters’ personal information such as phone numbers and addresses.
Twitter user @acaiijawe first tweeted about the data being sold online for US$2,000 (RM8,824) to be paid in Bitcoin or Monero (a decentralised cryptocurrency abbreviated XMR).
November 5 – Budget airline AirAsia was hit by a Daixin ransomware, jeopardising the personal information of five million passengers. Following investigations, the Communications Ministry said the company had detected an unauthorised access on its servers on November 12.
AirAsia's parent company Capital A was told to hand over any important document and data related to the incident. Efforts to track down the perpetrators are ongoing.
Daixin is a ransomware and data extortion group. It admitted to the attack in an interview with databreaches.net, stating that it was unhappy with AirAsia's chaotic organisation and alleged its absence of any standards.
October 25 – Around 2.6 million Carousell users from Malaysia and Singapore fell victim to a data breach on the popular online secondhand goods selling platform. All the stolen data was sold online for a mere US$1,000 (RM4,412).
Carousell users’ account creation dates, usernames, full names, email addresses, phone numbers and more were publicly posted online by the hackers. Investigations revealed a bug in the system migration used by a third party to gain unauthorised access to the company’s database.Carousell said it has contacted all affected users and advised them to look out for any phishing emails or SMSes, and not to respond to any communications that ask for information such as their passwords.
September – Data theft incident where hackers claiming to be from a ‘grey hat’ cyber security organisation alleged that they had breached the civil servant e-payslip system (ePenyata Gaji) to expose its weakness.
The group claimed that it could access over a million rows of identities via the database, which is in the format of JavaScript Object Notation (JSON) and comma-separated values (CSV). These contain the government employee’s MyKad number, rank, department, payslip numbers, email address and mobile phone number.
The group also claimed that it has extracted almost two million pay slips and tax forms in PDF format with a total file size of 188.75GB. Then communications and multimedia minister Tan Sri Annuar Musa said the government had found a lead regarding the alleged data theft but there has been no updates of investigations since.
September – Another budget airline Malindo Air, now rebranded as Batik Air, saw 45 million customers’ email addresses, dates of birth, addresses, passport numbers and phone numbers were all revealed online by hackers who claimed to have gained access to the database in 2019.
It was alleged that the data was obtained from a cloud storage service and was leaked by an individual or organisation called Spectre.
Batik Air acknowledged the issue in a press statement and disclosed that two former employees of its eCommerce partner GoQuo (M) Sdn Bhd in their development centre in India were involved. Police reports were made in both Malaysia and India. Malindo Air said the incident is not related to the security of its data architecture and none of the payment details of customers was compromised.
August – Leading payment gateway iPay88 had customers’ card data compromised after a cybersecurity incident. The company said that it initiated an investigation and brought in relevant experts to contain the issue after the discovery on May 21.
iPay88 is a payment gateway company established in Malaysia in 2000 that offers comprehensive payment methods to companies that include e-commerce and retail solutions.
According to KiplePay, a prepaid card provider offered free replacement cards for those affected by the data breach.
May – News emerged that millions of datasets belonging to the National Registration Department or NRD were up for sale for just US$10,000 (RM44,095).
The seller who posted the sale online claimed to have the data of all those born in Malaysia from 1940 until 2004. According to lowyat.net the database was purported to be 160GB large and contained full names, identity card number, addresses, dates of birth, genders, races, religions, mobile numbers, and Base54-based photos.
The seller also posted the details of then home minister Datuk Seri Hamzah Zainuddin to demonstrate the authenticity of the database.
2021
April – Israeli cybersecurity company Hudson Rock co-founder Alon Gal highlighted a leaked database containing data from 533,000,000 Facebook users in 2021. More than 100 countries were affected, with over 11 million Malaysians data leaked.
The data leaked included names, mobile numbers, emails, genders, occupations, cities, countries, marital statuses, and more.
Facebook said the leak was old data that was previously reported in 2019 and they had fixed the issue but the data here was leaked for free meaning the information can still be exploited by crude marketers, scammers, and hackers according to Gal.
The previous government had proposed RM73 million towards CyberSecurity Malaysia as well as the establishment of the National Scam Response Centre as announced in Budget 2023.
They also announced the removal of the One-Time Password (OTP) sent through text by banks for higher risk transactions, a platform will be created for the public to report any sort of online scam cases, government to spread more awareness regarding digital literacy to decrease online scam victims and the creation of a bill to protect credit card users will be proposed nearing the second quarter of 2023.
March – National carrier Malaysia Airlines informed customers of its frequent flyer programme Enrich that there had been a “data security incident” at one of its third-party IT service providers. According to the airlines, the incident happened between a nine-year-period from March 2010 to June 2019.
However, the company did not disclose the number of members affected. Data such as tier levels, status and personal details were stolen but the airlines suggested that there was no evidence to show the stolen information was being used elsewhere but advised members to change their passwords and update their details via phone call.
February – Personal details of over 300,000 E-Pay customers appeared to have been exposed online through a data breach. A threat actor was spotted selling a database of 380,000 customers on a data sharing forum for US$300 (about RM1,322). That’s about 0.32 sen per user.
From the sample record posted on RAID Forums, the database contain the customer’s name, email address, hashed password, date of birth, full address including city and postcode and mobile number. If purchased, these details if legit can be misused for scam activities and 380,000 records is quite a significant size.
