Posted on a well-known database marketplace forum earlier this week, one of the data sets came from three different organisations including Astro, Maybank, and SPR. The seller didn’t put any asking price directly on the listing though and insisted that interested parties use the forum’s private message feature or contact them directly through Telegram. The listing also didn’t provide any details regarding the date and validity of these datasets though. Hence, it is unknown whether the data have been leaked before, especially for Astro and SPR who have already encountered several data leak incidents over the years. That being said, the samples the seller displayed on the listing were unmasked and revealed plenty of personal details including full name, MyKad number, address, and mobile phone number. Not to forget, the seller seemed to be an established user at the forum, judging from their user profile and activities. This particular listing has already caught the attention of Communications and Digital Minister, Fahmi Fadzil. In a short post on his Facebook page and Twitter, the minister noted that CyberSecurity Malaysia and Personal Data Protection Department will be asked to investigate the matter.
Saya akan minta CyberSecurity Malaysia, JPDP siasat apakah benar berlaku kebocoran data melibatkan pihak-pihak berkenaan, serta mengambil tindakan berdasarkan undang-undang. https://t.co/ZvaTJajVje — Fahmi Fadzil 🇲🇾 (@fahmi_fadzil) December 30, 2022 Meanwhile, there is a separate listing that was posted slightly earlier on the same database marketplace forum by another user who claimed that it came from Unifi’s official website. The seller not only said that the database has more than 2.7 million entries but also offered admin access which we assumed to at least one of Unifi’s backend systems. Based on the data sample that was attached to the listing, it seemed that the data is related to Unifi Mobile. If we have to make an educated guess, it seemed possible that what we are looking at here is the transaction record of credit reloads by prepaid customers.
For both the database and admin access, the seller is asking for just USD850 (RM3,752) which seemed rather low since it includes access to the backend system that belonged to the country’s biggest converged telco company. While we are at it, an anonymous tipster has pointed us to a data leak involving the Malaysian Board of Technologists (MBOT). It comes in a form of a 5.1MB text file that was hosted on cloud storage and contains the list of accredited technologists throughout the country.
Odd enough, the personal data inside the file varies from one person to another. Nevertheless, the existence of the file should be a concern for MBOT members out there since it contains their names, MyKad numbers, and addresses. At the moment, we are not sure if TM and MBOT are already aware of these incidents. Given that Fahmi has already noted that cyber security is one of his top priorities since the start of his tenure as the Communications and Digital Minister earlier this year, we don’t think it is going to take long before they entered his radar. [Thank you @xanda for the heads up!]
