Data of 22.5 million Malaysians born 1940-2004 allegedly being sold for US$10k

In both incidents, it was claimed that the data was syphoned from the NRD through the My Identity API. PHOTO: REUTERS
Updated
May 18, 2022, 05:52 PM
Published
May 18, 2022, 01:46 PM

PETALING JAYA (THE STAR/ASIA NEWS NETWORK) - An alleged data leak containing the information of 22.5 million Malaysians born between 1940 and 2004, purportedly stolen from the National Registration Department (NRD), has once again put the country's data security measures in the spotlight.

Local tech portal Amanz reported that the database, 160GB in size, is being sold for US$10,000 (S$13,846) on the dark web.

In the screenshot shared by the portal, the seller claimed that this is an expanded database compared to the one he sold in September last year, which was only up to 1998.

In both incidents, it was claimed that the data was siphoned from the NRD through the MyIdentity API (application programming interface). MyIdentity is a centralised data-sharing platform that is used by various government agencies.

Malaysia's Home Minister Hamzah Zainudin on Wednesday said the alleged data leak did not come from the NRD, but from "several agencies which we have given some leeway for them to obtain information from us".

He did not name those agencies, or how many agencies had access to MyIdentity data.

Hamzah told reporters after attending an event that there was a mechanism in place which could prove that the leaked information did not come from the NRD.

“Previously, there was a similar allegation but we have managed to prove that the leak was not from the NRD.

“It was from several agencies which we have given some leeway for them to obtain information from us,” he said.

When the first data leak occurred was discovered in September, it allegedly involved the NRD database of people born between 1979 and 1998, and was being sold for 0.2 BTC (RM35,350, or S$11,160).

But Datuk Seri Hamzah said then: "Don't worry about data held by NRD. Our firewall is quite strong."

He said then that all government agencies using the MyIdentity system had been instructed to implement stricter safety measures.

On Wednesday, lawyer Foong Cheng Leong said the lack of transparency on investigations related to data leaks in Malaysia has been frustrating.

"There needs to be an account of how the matter is being investigated and what steps are being taken to ensure that the data is secure.

"The information could serve as a deterrent to others and show that there will be consequences for those leaking private information," he said in a phone interview.

More On This Topic
Team behind Malaysia's Covid-19 tracking app says no user data leaked amid 'malicious' activity
What must organisations do when collecting, using or disclosing personal data?

Mr Foong urged fresh investigations to be conducted by the relevant agencies, including the Department of Personal Data Protection (JPDP) to discover if the leak was genuine.

When contacted, JPDP declined to comment at this point.

Mr Foong said the data from the alleged leak could be used by scammers to dupe victims.

"For example, they could pose as an authority figure and present information such as your MyKad number or address to gain your trust.

"They will use this to convince you to give out more details or perform financial transactions," he said.

When contacted, CyberSecurity Malaysia declined to comment, stating that the matter is under the jurisdiction of JPDP.

And the NRD has yet to respond to requests for information.

More On This Topic
Edu-tech firm GeniusU fined $35,000 for data leak affecting 1.26m users
Suspected data leak spurs F&B firm to beef up IT security, apply for new cybermark

Join ST's Telegram channel and get the latest breaking news delivered to you.

Available for
iPhones and iPads
Available in
Google Play

MCI (P) 066/10/2023. Published by SPH Media Limited, Co. Regn. No. 202120748H. Copyright © 2024 SPH Media Limited. All rights reserved.

Back to the top