MCMC just traced the leak of 50 million M’sian phone numbers back to… the MCMC

Got some super annoying spam calls lately? It might’ve been because two years back, in October 2017, over 46 MILLION MALAYSIAN PHONE NUMBERS were victims of what is perhaps the biggest data breach in Malaysian history.

Everything from your telephone number, IC number and even your address were found for sale online. There was also a website to help you check if your details were part of the data breach called ‘SayaKenaHack.com’, which would eventually be taken down. It wasn’t just the data breach that made the news either. The Malaysian Communications and Multimedia Commission (MCMC) ordered Lowyat.net to remove news reports of the data breach, which itself also ended up making the news for controversial reasons.

However, what the news didn’t report on in the immediate wake of the data breach was just who exactly was responsible behind the leak. In fact, in our own coverage of the drama from Oct 2017, we also didn’t name who was responsible, cos at that time no one really knew… altho if you read that specific article you might’ve noticed that we did hint at who it might be after we did our own digging.

 

As it turns out, our hunch was right – it was the govt a govt contractor

In case you didn’t read the our 2017 reports, we spoke to Keith Rozario – the guy behind SayaKenaHack.com – and we also referenced his own tech blog quite a bit. Now here’s a bit from one of Keith’s blog entries that caught our attention back then:

“Consider also, that if you downloaded the data, (which I obviously have), it’s clear as day where the leak came from. It’s so clear, Stevie Wonder can see where the data was leaked from,” – Keith Rozario, in his blog

We explained this further in our article, but essentially, there was a lot of info in the data breach. Like, it wasn’t just the major telcos who kena, but like, almost every major and minor telcos – telcos we’ve never even heard of such as Friendi, PLDT and XOX.

So the hackers would either have:

1. Hacked every big and small telco company individually, 
2. Hacked one central source that just happens to have all the data from every telco company

Now Keith declined to comment who exactly did it, but when you start thinking about who in Malaysia could possibly have the data from all telco companies that operate here… *hinthint*

The good folks at Malaysiakini would take it one step further tho, by tracing the data leak trail all the way… to the MCMC themselves.

A Malaysiakini special report a few weeks following news of the data breach revealed that parts of the telco data had the terms PCBS, MCMC or SKMM in them. While MCMC and SKMM refer to, well, the MCMC, PCBS refers to the Public Cellular Blocking Service – a 2014 MCMC initiative to help victims of phone theft block their stolen phones. According to Malaysiakini, they found that the PCBS initiative was outsourced by the MCMC to a private firm called Nuemera Sdn Bhd.

Nuemera had actually been in the news even before the data leak occured; when MCMC awarded the PCBS contract to them, then-MP Wee Choo Keong questioned the decision to award a govt contract to a tech company allegedly led by directors who had relations with an UMNO minister. And the more we looked into Nuemera, the weirder things got.

For instance:

• Nuemera was listed as a dormant company by the Malaysian Companies Commission in 2017
• Nuemera was in the courts over tax trouble in 2016
• It’s alleged that Nuemera founder Mohd Noor Amin and then-MCMC head Dato Sharil were friends
• Prior to the PCBS contract, there was allegedly no previous record of Nuemera doing similar work before
• MCMC allegedly awarded the contract to Nuemera directly rather than thru an open tender
• The Finance Ministry were allegedly hesitant to give the PCBS contract to Nuemera

So does this mean that the MCMC may have messed up by hiring Nuemera? Well putting aside all the weird stuff we found about Nuemera for now, in the weeks following Malaysiakini’s report on the data breach Lembah Pantai MP Fahmi Fadzil actually sued both the MCMC and Nuemera over the data leak in early 2018, claiming that the two failed to do their duties, resulting in the leak happening.

While the police later stated that they were investigating the company over the data breach, it was however never fully confirmed that it was indeed Nuemera who was responsible over the data leak… until now.

 

The govt confirmed that Nuemera breached its contract with MCMC

So Fahmi Fadzil didn’t stop pressing the govt and MCMC about the data breach even tho he is now part of the govt. In the Dewan Rakyat recently, he brought up the topic again by asking how come Nuemera could’ve failed to take care of the data properly to the point where the details of almost 50 million Malaysian phone numbers and their respective owners where leaked. He also wanted to know if any action had been taken against Nuemera.

The Communications and Multimedia Ministry then gave a written reply to Fahmi Fadzil, confirming that Nuemera’s contract with the govt has been ripped up in May laster after investigations were carried out by the MCMC, Personal Data Protection Dept (JPDP) and PDRM.

“Following the investigation, on Jan 26, 2018, MCMC had suspended Nuemera’s appointment as it was found that the company breached basic provisions in the contract between MCMC and Nuemera.

“On May 21, 2018, MCMC issued a notice to Nuemera informing of MCMC’s decision not to renew the PCBS agreement for another five years as provided as an option in the contract agreement,” – MCMC statement, as quoted by Malaysiakini

Losing their govt contract would be the least of Nuemera’s concerns tho. MCMC’s response also noted that the company might’ve breached the Personal Data Protection Act 2010 and the Computer Crimes Act 1997. They concluded by adding that the investigation is over, with the deets of it passed on to the Attorney-General’s Chambers for action. You can check out Fahmi Fadzil’s tweet below for the MCMC’s full reply too:

14 Oktober 2019: Jawapan bertulis dari @kkmm_gov kepada YB @fahmi_fadzil di @MYParlimen hari ini menyatakan bagaimana Syarikat Nuemera (M) Sdn. Bhd. yang dilantik Kerajaan untuk melaksana sistem Sekatan Perkhidmatan Selular Awam (PCBS) gagal menjamin keselamatan 46.2 juta data.. pic.twitter.com/6d7nsizyjc

— Pejabat YB Fahmi Fadzil (@LembahPantai121) October 14, 2019

Sadly, details about how exactly the data breach happened was not revealed. Nevertheless, if there’s one positive we can take from this…

 

The PCBS might’ve been a good idea but the execution was… full of holes (that’s why leak)

Now to be fair to the MCMC, the PCBS was indeed a good idea on paper – if you lost your phone and wanted to make sure that anyone who stole it can’t simply use it, you can get the PCBS to block your phone, preventing it from being used even if the SIM card in it was swapped.

However, the decision to award the contract for the PCBS to an allegedly dormant tech company who had links to those higher up, despite some apparent some resistance from the Finance Ministry, perhaps should’ve raised a few more alarm bells. With the mystery of the cause for the leaks solved, it can perhaps be seen as a case study of how good ideas can lead to unexpected consequences if not properly carried out.