[UPDATED] This might be the biggest data breach in Malaysian history, and all Malaysians are at risk

[UPDATE 6th June 2018: Aiyo. We just read from our friends at Lowyat.net that at least 60,000 personal data records of Astro customers are for sale online. They found out that the seller is the same person selling 50,000 records in January 2018. Back then, the illegally-obtained data was sold for RM3,000/10,000 records, but this time round it seems like harga dah naik sikit as they’re being sold for RM4,500/10,000 records. 

For more info, read the full report on Lowyat.net here.] 

 

 

About a week ago (early October 2017), lowyat.net published an article exposing a possible data breach in Malaysia. But, what made this piece of news alarming was because it could be the biggest data breach in Malaysian history, with one set of data reportedly involving 50 million entries.

According to the article, they received a tip off that millions and millions of Malaysian’s data, including IC numbers, addresses and telephone numbers were being advertised on Lowyat forums. To add coal to the hype train, MCMC ordered the website to take down the advertisement and the article exposing their discovery. This of course received much criticism from some, but MCMC defended it as a preventive measure (later as a miscommunication) and has since allowed it to be re-published.

Currently, the Personal Data Protection Commission (part of the MCMC) and the police are investigating the matter, and a company involved (more on this later) has already agree to cooperate with the investigation. Since Malaysia has rarely experienced large scale data breaches, we explore a little bit about what could this mean for us, and what we can do. But first…

 

Are you affected by the alleged data breach?

To answer that, let us take a detailed look into what kind data was allegedly breached, and where the data came from.

• 50 million records, including foreigners: Customer names, billing addresses, mobile phone numbers, sim card numbers, unique International Mobile Subscriber Identity (IMSI) and unique International Mobile Equipment Identity (IMEI) numbers, handset models and MyKad numbers of customers from Malaysian Telcos including Altel, Celcom, DiGi, Enabling Asia, Friendimobile, Maxis, MerchantTradeAsia, PLDT, RedTone, TuneTalk, Umobile and XOX. (Likely obtained between 2012 – 2015)
• 17 million rows of customer information: Candidate’s name, login name, hashed passwords, email id, nationality, address and handphone number from Jobstreet database. (Likely obtained between 2012 to 2013)
• 62,000 records: Personal details, IC numbers, home and operating addresses and mobile numbers from Malaysian Medical Council, which oversees the registration of all medical practitioners in Malaysia. (Likely obtained between 2014 – 2015)
• 20,000 records: Personal details, IC numbers, home and operating addresses and mobile numbers from Malaysian Medical Association (Likely obtained between 2014 – 2015).
• 720,000 entries: Name, MyKad number, contact number, email address, blacklist status, address, job, employer details, salary and spouse’s details from housing loan applications (Likely obtained between 2014 – 2015).

Though the exact numbers for the housing loan applications weren’t found in the original article, we did find it reported by Malaysiakini. The period when these data were obtained wasn’t mentioned either. The founder of Lowyat.net added that sales of the data was aggressively promoted on the forum.

“The seller had created many new accounts, trying to sell the data. We had to continuously remove them. The accounts were created using many email addresses and new IP addresses.” – Vijandren Ramadass, Founder of Lowyat.net told The Malaysian Insight

So it would seem that, unless you’ve only applied for a phone number after 2015, it is very likely that some of your info is in the hands of people that aren’t supposed to have them. To put it in context, Malaysia’s population is 31.19 million, and there are already 50 million records from Malaysian telcos alone.

But even if all that info has been stolen, what could they even use it for? Our passwords are still safe with us right?

 

It’s still difficult to steal your money, but they can steal your IDENTITY

As one might wonder, even if they had our IC number, address, phone number and what not, they can’t get access to our accounts or buy stuff with our cards right? After all, our passwords and pin numbers still remain safe and unknown, and in this day and age, online purchases would require TAC codes from our personal handphones to approve. So what’s the big deal?

Lets start with the telcos. Notice that we’d highlighted two specific details in the long list of things you’ve probably skipped. As their names suggest, the unique International Mobile Subscriber Identity (IMSI) and unique International Mobile Equipment Identity (IMEI) numbers are different for each SIM card, and it is basically the brain of your phone.

Using those numbers, hackers can clone your phone, and then track your phone calls, read your messages, and even use your number as their own. The good news is, not all SIM cards are clone-able, as we understand from this article that teaches you how to clone SIM cards. Now, where is the TAC code sent again?

Criminals can also use your info to book hotels, commit cyber crimes or launder money. BUT WAIT, there’s MORE! As it turns out, its pretty easy to fake your identity on (literal) paper, too!

“The identity thief can use your information to fraudulently apply for credit, file taxes, or get medical services. These acts can damage your credit status, and cost you time and money to restore your good name.” – USA.gov

In other words, these identity snatchers can open bank accounts using your name, and then use that to get loans, credit cards, and even to apply for certain benefits and services, leaving you with a mountain of debt. This is why banks and services have policies and rules, like requiring your physical IC and thumbprints. But then ICs can be forged, and phone numbers, addresses and e-mails can be changed, so you wouldn’t even know until its too late. And if the thieves are missing something, no worries, as the information they need might just be a phone call away.

As of late, there is increased worry among Malaysians on phone scams attempts, pretending to be banks and even policemen on investigation. Even more recently, they even seem to be stepping up their game. The Lembaga Hasil Dalam Negeri (LHDN) warned the public of fake LHDN websites and emails that attempt to coax unsuspecting tax payers to provide their bank account numbers. This method is known as “phishing“.

“Please note that LHDN have never sent e-mails to taxpayers to ask them to disclose their bank account numbers. This is because the bank account information will be obtained through the declaration by the taxpayer when they complete the Income Tax Return Form each year.” – LHDN said in a statement, quoted from The Sun Daily

If I’m extra careful and keep my information secret, I will be OK right?

Identity thefts have been happening even before the internet era, its just that they have more channels to get information now. If you’ve ever received suspicious texts about loans, properties or online gambling, or even had “the bank” call you for information, chances are your data has already been compromised in some manner. In the recent Equifax breach, involving the credit data of 143 million people, a person with 35 years experience fighting cyber crime said this:

“We have to stop focusing on how do we stop getting things stolen and focus on stopping data from being used.” – Neal O’Farrell, executive director of The Identity Theft Council, quoted from The Morning Call

Having said that, it doesn’t mean that you can’t do more to prevent further breach of information:

• Don’t respond to suspicious calls, e-mails, text claiming to be authorities. If you’re unsure, you can always contact the relevant authorities directly.
• Watch your mail, calls, and accounts closely. Look for suspicious transactions in credit or bank reports, or unfamiliar names, accounts, phone numbers etc.
• Use two step verification for your money-related accounts if you can. Use TAC or other verification codes that are usually sent by text to your cell phone.
• Use stronger/ more complex passwords for important accounts. If you’re still using “1234” or “password” or “password1234”, STOP IT.

Generally, don’t give your details to strangers unless you’re sure they are the proper authority. But, what if my data is already stolen?! What can I do?! Obviously, you need to report it to the relevant company immediately, and perhaps put a freeze on your account. In the case of SIM cards, you should probably get a replacement. You may also need to lodge a police report.

It may serve as a consolation to know that people end up losing more time fixing the problem than they lose money, according to the Bureau of Justice Statistics (U.S). So yea, if you value money more than time… hoorayy??

 

I’m so ANGRY now? Can I sue my telco company for this?

According to the Personal Data Protection Act 2010, companies are supposed to ensure that data they collected are protected and safely kept. If convicted, the failure to do so is liable to a fine of RM300,000 or imprisonment for no more than 2 years or both. But so far, the case is still an on-going investigation. So we’ll have to wait until those responsible have been found found and trialed.

In the meantime, we can all protect information, and we don’t have to fight alone. The gomen obviously has a big role to play, and they have been implementing stricter rules on phone service this year, requiring a registration for pre-paid users and cutting down the number of SIM cards tied to a single name, among other things.

Of course, companies that handle public information have responsibility too, and there’s one more thing to keep an eye out for. In the Equifax breach in the U.S. mentioned earlier, the company only exposed the news 6 weeks after it happened. In that time, 3 of the company officials sold 1.8million USD worth of company shares. If the Malaysian breach turns out to be true, the companies have to answer for whether they knew about the breach, and if so, why weren’t customers told about it?

In the U.S., it is required by law for victims of data breach to be notified by mail. The notification serves as important proof and also comes with instructions on what to do next. As data becomes more valuable, data breaches will become more common. While companies and the gomen have a role to play in protecting our info, it really begins with safeguarding our privacy ourselves.