Unfortunately, this time, the leak affects millions of Malaysians - and you could be one of them.
Database contains important information
A database purportedly belonging to the National Registration Department (JPN) has reportedly been listed for sale online.According to a report by tech site Lowyat.net, the database, which contains data from four million Malaysians born between 1979 to 1998, has been put up on sale on a well-known database marketplace forum for 0.2 Bitcoin, which is equivalent to RM35,001 as of Wednesday (29 September).
The listing was first spotted by local intrusion analyst Adnan Shukor.
4 juta data peribadi rakyat Malaysia diiklan untuk jualan. Dikatakan data dari API myIDENTITY pic.twitter.com/UboJAwPlnC
— Adnan (xanda) Mohd Shukor (@xanda) September 27, 2021
In the listing, the seller revealed that the database contained important information such as an individual's full name, IC number, mailing and permanent addresses as well as phone number.
On top of that, it also contains a picture of an individual.
The total size of the database is reportedly 31.8GB, so it means there's A LOT of information in there.
The seller claimed that he obtained the database from the website of the Inland Revenue Board through an Application Programming Interface (API) that is made for myIDENTITY.
As explained by Lowyat.net, myIDENTITY is a national data sharing platform that allows government agencies to obtain an individual’s personal details from a centralised archive.
Since going live in 2012, ten local government agencies including LHDN and JPN are linked to the platform.
Police to conduct investigation
On Tuesday (28 September), the Royal Malaysian Police (PDRM) confirmed that they have received a report regarding the leak and they've started investigations into the matter.Director of PDRM’s Commercial Crime Investigation Department CP Mohd Kamarudin Md Din told Bernama that the police report was made by the Deputy Director of JPN and the case will be investigated under Section 4(1) of Computer Crimes Act 1997.
The police will work closely with the Malaysian Communications and Multimedia Commission (MCMC), the National Cyber Security Agency (NACSA) and CyberSecurity Malaysia during the investigation.
CP Mohd Kamarudin told the news agency that they are not ruling out the involvement of insiders in this case.
Meanwhile, LHDN denied that the hacker got the database from their website.
LHDN saind in a statement that they do not own the myIDENTITY platform, and their internal investigations have revealed that there's been no breach or leak of information.
They further assured Malaysians by saying that their data under its custody is safe and protected by "recognised data security technology".
We do hope that the authorities get to bottom of things soon.