Malaysian telco data breach traced to Oman

Leak linked to IP address in Arabian peninsula; suspects identified but no arrests amid probe

KUALA LUMPUR • The Malaysian authorities investigating a massive online breach of data involving 46 million mobile phone users have traced the leak to an Internet Protocol address in Oman, the New Straits Times quoted the police chief as saying yesterday.

Inspector-General of Police Mohamad Fuzi Harun said the team - comprising police and Internet regulator Malaysian Communications and Multimedia Commission (MCMC) - had some leads, and those involved had been identified.

But there have been no arrests so far. "Not yet... It is not easy as it is a complicated case. However, investigations are ongoing," he told NST.

He did not say how investigators had traced the breach to the Arabian peninsula, or what is the next step to be taken.

The data breach, which took place in 2014, involves the personal details of tens of millions of Malaysians.

At one point, the data was being put up for sale online.

The breach appears to be one of the largest leaks of customer data in Asia and has alarmed many in Malaysia, whose total population is 32 million.

'NO SYNDICATES'

I can assure (you) that no syndicates are involved in the case. We believe the company itself is not involved in the crime.

INSPECTOR-GENERAL OF POLICE MOHAMAD FUZI HARUN, who said "crooked employees of a company" may be behind the breach.

Cyber-security experts have said the leaks could allow criminals to create fraudulent identities to make online purchases, as they included lists of mobile phone numbers, identification card numbers, home addresses and the SIM card data of 46.2 million customers.

The data also contained personal information from medical associations and a job portal.

Asked if Malaysian telecommunications companies have been excluded from the list of suspects, Tan Sri Fuzi said it was too early to reach a conclusion.

He had said on Thursday that the data breach could have taken place during a data transfer, when several "crooked employees of a company" took advantage of the situation.

"I can assure (you) that no syndicates are involved in the case. We believe the company itself is not involved in the crime," he was quoted as saying by The Sun Daily newspaper.

The MCMC has said it has met with local telco companies during investigations.

Online forum Lowyat.net, which raised the alarm over the issue last month, claimed last week that the data was sold for an undisclosed amount using bitcoin digital currency.

A version of this article appeared in the print edition of The Sunday Times on November 19, 2017, with the headline 'Malaysian telco data breach traced to Oman'. Print Edition | Subscribe