220,000 Malaysian organ donors' data 'leaked'

Technology website says they and their next of kin have fallen victim to alleged data theft

Another major leak of personal data has been reported in Malaysia, just three months after details of 46.2 million mobile phone subscribers were found released online.

According to technology website Lowyat.net, about 220,000 Malaysian organ donors and their next of kin have fallen victim to the alleged theft of personal data.

The website, in a post on Tuesday, said: "While the total number of records in this leak is nowhere near the massive amounts of data leaked in the mobile telco data breach that we reported back in October 2017, this leak contains one very serious implication, where it reveals personal information of a nominated next of kin.

"This doubles the actual number of records leaked to 440,000, and also links two individuals to each other in a binding relationship - whether it may be husband and wife, siblings or parental."

Malaysia's top cop Mohamad Fuzi Harun said police intend to speak to the administrators of Lowyat. He added that it was "suspicious" that the reports on the two data breaches appeared to originate from the same website.

"We find it suspicious, and we will be in contact with the website administrators regarding this case. The case is being investigated by the Commercial Criminal Investigation Department," he told a news conference yesterday.

Lowyat.net is named after Kuala Lumpur's Low Yat Plaza - a popular spot for buying electronic products.

SINGLE SOURCE

The leaked data contains sign-up data from government hospitals as well as national transplant resource centres across the country, which would mean that it has been retrieved from a central database.

LOWYAT.NET, on the data leak.

The site said the leaked data included donors' full names, identity card numbers, as well as their race, gender, and the organs they wished to donate.

The full names of next of kin and the nature of their relationship was leaked as well.

The data - stored in files, and dated 1997 to 2016 - were available online from as early as September 2016, the website said.

"The leaked data contains sign-up data from government hospitals as well as national transplant resource centres across the country, which would mean it has been retrieved from a central database."

The website added that it alerted the Department of Personal Data Protection about the data leak before the report was published.

Lowyat founder Vijandren Ramadass said the Web portal discovered that the data was being shared for free on a popular file-sharing site, and that the files are "still online", Reuters news agency reported.

"We submitted a direct request to the host on Sunday to remove the files but we didn't get any response," he said.

Malaysia's cybercrime chief Ahmad Noordin Salleh, speaking on the sidelines of a cyber security seminar yesterday, said no police reports have been filed on the latest breach, so far.

In a statement, Internet regulator Malaysian Communications and Multimedia Commission (MCMC) said it views the matter seriously and an investigation has been launched. It added that the police, Department of Personal Data Protection, and MCMC are understood to be conducting the probe.

In October last year, the personal details of about 46.2 million mobile phone subscribers were leaked online, in what is believed to be the biggest data breach in the country.

A version of this article appeared in the print edition of The Straits Times on January 25, 2018, with the headline '220,000 Malaysian organ donors' data 'leaked''. Print Edition | Subscribe