The personal details of some 46.2 million mobile phone subscribers in Malaysia have been stolen, in what is believed to be the largest data breach in the country, local media reported yesterday.
Online technology site lowyat.net said the hackers have the home addresses, identity card numbers, SIM card information and private details of almost the entire Malaysian population of 32 million. Many Malaysians have several mobile numbers.
The site on Monday "confirmed" that 46.2 million mobile phone numbers were leaked online, in a follow-up report on its Oct 19 alert that someone was trying to sell the data from a huge breach in 2014.
In addition, 81,309 records from the Malaysian Medical Council, the Malaysian Medical Association and the Malaysian Dental Association were also exposed, the tech site said.
The records contained personal information such as residential addresses along with IC and mobile phone numbers.
Communications and Internet regulator, the Malaysian Communications and Multimedia Commission (MCMC), has said it is investigating the breach with the police.
When contacted yesterday, the police said the probe is being led by the Department of Private Data Protection, an agency under the Ministry of Communications and Multimedia. Both MCMC and the department could not be reached.
Number of mobile phone numbers that were leaked online.
Number of records from the Malaysian Medical Council, the Malaysian Medical Association and the Malaysian Dental Association that were exposed. The records contained personal information such as residential addresses along with IC and mobile phone numbers.
Founder of lowyat.net Vijandren Ramadass told The Straits Times that the site's team followed the online trail left by the individual who tried to sell the data and discovered that the information was already available for download for free.
"We have disclosed the complete details to the MCMC," he said, adding that he believes telcos should admit the breach occurred and advise their customers on the next steps.
The MCMC has held meetings with local telcos to ensure that they are aware of the leak and will give full cooperation to investigators.
MCMC operations chief Mazlan Ismail told national news agency Bernama yesterday that the operators need to know "what is happening, especially when the police, through their Commercial Crimes Unit, come to meet them as part of the investigation".
Cyber security analysts said the hackers could make Malaysia vulnerable to phone scam attacks.
"Scammers (could) pretend to be someone calling or texting from the telco since they can prove they have the target's personal details," network and security strategist Gavin Chow was quoted as saying.
Other users could be tricked into transferring their money or installing "telco applications" containing malware or spyware. These could be used to exploit the target in the future.
Mr Chow said users need to be alert when receiving calls and messages from strangers. "Do not get tricked into sharing more personal details, transferring funds or installing apps."
Mr Dinesh Nair, a technology strategist, told The Star that there was not much that consumers could do. But they might want to change their SIM cards because the hackers have stolen IMSI and IMEI data - electronic identifiers unique to each phone which are embedded into a SIM card.
"I'm sure my data is there as well. People with really good technical skills will be able to clone someone's phone and that's the worst-case scenario," he said.
A "cloned" phone in effect allows a perpetrator to use the same number owned by another user, with the phone bill sent to the home of the original owner.