PETALING JAYA • An alleged data leak containing the information of 22.5 million Malaysians born between 1940 and 2004 - purportedly stolen from the National Registration Department (NRD) - has put the country's data security measures under the spotlight once again.

Local technology portal Amanz reported that the database, which is 160GB in size, is being sold for US$10,000 (S$13,800) on the Dark Web.

In the screenshot shared by the portal, the seller claimed that this is an expanded database compared with the one he sold in September last year, which was only up to 1998.

In both incidents, it was claimed that the data was siphoned from the NRD through the MyIdentity API (application programming interface).

MyIdentity is a centralised data-sharing platform that is used by various government agencies.

Malaysia's Home Minister Hamzah Zainudin yesterday said the alleged data leak did not come from the NRD, but from "several agencies which we have given some leeway for them to obtain information from us".

He did not name those agencies, or how many agencies had access to the MyIdentity data.

Datuk Seri Hamzah told reporters after attending an event that there was a mechanism in place which could prove that the leaked information did not come from the NRD.

"Previously, there was a similar allegation but we have managed to prove that the leak was not from the NRD."

When the first data leak was discovered in September, it allegedly involved the NRD database of people who were born between 1979 and 1998, and was being sold for 0.2 bitcoin (RM35,350, or S$11,130).

But Mr Hamzah said then: "Don't worry about data held by NRD. Our firewall is quite strong."

He said then that all government agencies using the MyIdentity system had been instructed to implement stricter safety measures.

Lawyer Foong Cheng Leong said yesterday that the lack of transparency on investigations related to data leaks has been frustrating.

"There needs to be an account of how the matter is being investigated and what steps are being taken to ensure that the data is secure.

"The information could serve as a deterrent to others and show that there will be consequences for those leaking private information," he said in a phone interview.

Mr Foong urged fresh investigations to be conducted including by the Department of Personal Data Protection.

