Personal details of over 200,000 Malaysian organ donors leaked online: Report

Inspector-General of Police Mohamad Fuzi Harun said the details were leaked to Lowyat.net by the same source that leaked the mobile phone data breach.
Inspector-General of Police Mohamad Fuzi Harun said the details were leaked to Lowyat.net by the same source that leaked the mobile phone data breach.PHOTO: THE STAR/ASIA NEWS NETWORK

KUALA LUMPUR - Another major leak of personal data has been reported in Malaysia, just three months after the uncovering of 46.2 million personal details of mobile phone subscribers online.

According to online technology site Lowyat.net, some 220,000 Malaysian organ donors and their next-of-kin have fallen victims to possible personal identification data theft.

"While the total number of records of this leak is nowhere near the massive amounts of data leaked in the mobile telco data breach that we reported back in October 2017, this leak contains one very serious implication where it reveals personal information of a nominated next-of-kin," the forum said in a post on Tuesday (Jan 23).

"This doubles up the actual number of records leaked to 440,000, and also links two individuals to each other in a binding relationship - whether it may be husband/wife, siblings or parental," it said.

Malaysia's top cop Mohamad Fuzi Harun said police will be summoning the administrators of Lowyat.

He described as "suspicious" that the reports on the two data breaches appeared to originate from the forum.

"We find it suspicious and we will be in contact with the website administrators regarding this case. The case is being investigated by the Commercial Criminal Investigation Department," he told a news conference on Wednesday.

Lowyat.net, named after the popular tech mall Low Yat Plaza in Kuala Lumpur, said that among sensitive information that were leaked included donors' full name, IC number, next-of-kin's full name and nature of relationship, as well as race, gender and organ to be donated.

The data were stored in files dated 1997 to 2016. The details have been made available online as early as September 2016, the tech site said.

"The leaked data contains sign-up data from government hospitals as well as national transplant resource centres across the country - which would mean that it has been retrieved from a central database," it said, adding that it has already alerted the Department of Personal Data Protection of the alleged data leak before the report was published.

Lowyat founder Vijandren Ramadass was quoted by Reuters as saying that the portal discovered the leak was being shared on a popular file sharing site for free and the files are "still online".

"We did submit a direct request to the host on Sunday to remove the files but we didn't get any response," he said.

Malaysia's cyber crime chief Ahmad Noordin Salleh, when met at a Cyber Security Seminar on Wednesday, said no reports have been filed on the latest breach so far.

In a statement, Malaysia's Internet regulator Malaysian Communications and Multimedia Commission said it views the matter seriously and an investigation has been launched.

It was understood that the case will be probed by the police, Department of Personal Data Protection and MCMC.

In October last year, Malaysia was rattled with what was believed to be the biggest data breach in the country, with the personal details of some 46.2 million mobile phone subscribers leaked.

Among the data that were compromised included users' home addresses, identity card numbers, SIM card information and private details of almost the entire Malaysian population of 32 million. Many Malaysians have several mobile numbers.

Police chip Tan Sri Fuzi said on Wednesday that little progress had been made on the probe into the mobile phone data breach.

"The case is under the Malaysian Communication and Multimedia Commission's jurisdiction and we are only assisting them. We tracked the IP of the breach to four countries overseas and haven't been able to move further with the case so far," he said.