The row between the MCMC and Lowyat.net over an article alleging that the illegally obtained private data of millions of Malaysians was being put on sale has apparently been resolved.
Discomforting that these personal details are in the hands of strangers:
- Mailing address
- Email address
- Mobile phone number
- MyKad number
- Blacklist status
- Spouse’s details
According to Communications and Multimedia Minister Datuk Seri Salleh Said Keruak, there was a miscommunication between the Malaysian Communications and Multimedia Commission (MCMC) and Lowyat.net.
Teo Nie Ching (DAP-Kulai) had asked Salleh during the Minister’s Question & Answer session in the Dewan Rakyat on Oct 26 why the ministry was “shooting the messenger” since the MCMC had told the popular online forum to take down the article when it should have been searching for the culprit.
“There has been miscommunication between them but this has been resolved amicably.
“It was just a preventive measure…we hope there is no speculation about this matter as the investigation is still ongoing,” Salleh said in response.
He also said that the police and the ministry are in the midst of investigating third parties who had put up the information on the portal.
On Oct 19, Lowyat.net reported that the personal data of millions of Malaysians from various databases were put up for sale for an undisclosed amount of bitcoin (Internet currency) on its forum platforms.
The online forum said it was initially sceptical and thought the attempted sale a scam but discovered, upon investigation, it could be “one of the biggest data breaches ever in Malaysian history”.
Among the data on sale were data of doctors obtained from medical associations, including the Malaysian Medical Association, Malaysian Medical Council, Academy of Medicine Malaysia, Malaysian Dental Association and National Specialist Register of Malaysia.
The cache from the Malaysian Medical Association contained more than 20,000 records, while the leaked data from the Malaysian Medical Council, which oversees the registration of all medical practitioners in the country, contained almost 62,000 records. The doctors’ data included home and operating addresses, mobile phone number and MyKad number, with the data breach believed to have occurred between 2014 and 2015.
The breached data from online recruitment portal Jobstreet.com comprised almost 17 million rows of customer information, including candidate’s name, nationality, address, email id, login name, hashed password and mobile phone number. This data seemed to have been obtained between 2012 and 2013.
The mother load, however, were 50 million records from various telcos, including Altel, Celcom, DiGi, Enabling Asia, Friendimobile, Maxis, MerchantTradeAsia, PLDT, RedTone, TuneTalk, Umobile and XOX. The telco data included customer name, billing address, mobile phone number, sim card number, imsi number, handset model and MyKad number, and appeared to have been obtained between 2012 and 2015.
Lastly, there were 720,000 entries of leaked housing loan application data with a wealth of personal information, including name, address, contact number, email address, MyKad number, job, employer details, salary, blacklist status and spouse’s details.
Upon instruction by MCMC on the same day, Lowyat.net took down the article but put it back up the next day.
Rights group Lawyers for Liberty (LFL) and PKR have issued statements demanding MCMC to explain if the report had any basis at all.
PKR communications director Fahmi Fadzil had said that the MCMC’s action in blocking the report created a perception that there are parties who are trying to hide the allegations of a massive personal data breach.
The sale of stolen data is strictly prohibited and punishable by law.