Malaysian police probing data leaks involving 46.2 million mobile phone numbers

KUALA LUMPUR — Malaysian police are investigating the leak of some 46.2 million mobile phone numbers and mobile virtual network operators (MVNO) in what could possibly be the country’s biggest personal data breach.

At the same time, Internet regulator Malaysia Communications and Multimedia Commission (MCMC) met with local telcos to brief them on the latest development regarding the ongoing probe.

National police chief Mohamad Fuzi Harun said on Tuesday (Oct 31) that the investigation is being carried out by the Commercial Crime Investigation Department.

“We are working with MCMC as this case is quite complicated since it involves telecommunication service providers,” he told the New Straits Times, warning that the authorities will not hesitate to take action once it identify the culprits.

“We cannot reveal much as (investigations) is still ongoing. We are collecting information to ascertain how the data was leaked.”

Popular Internet forum and technology magazine website first reported on the data breach on Oct 19, noting that personal information of millions of Malaysians were up for sale on its online forums and that the source of breach was still unknown.

It said it found out about the matter after receiving a tip-off.

In a follow-up report on Monday (Oct 30), it said the leak included postpaid and prepaid numbers, customer addresses as well as SIM card details from all major telco operators, namely DiGi, Celcom, Maxis, Tunetalk, Redtone and Altel.

“Time stamps on the files we downloaded indicate the leaked data was last updated between May and July 2014 by the various telcos,” said.

It also said the databases of Malaysian Medical Council (MMC), the Malaysian Medical Association (MMA) and the Malaysian Dental Association (MDA) were compromised.

These medical databases included personal information, identity card numbers, mobile/work/home phone numbers, as well as work and residential addresses.

“We have shared all details regarding the data that we uncovered, as well as how we managed to obtain all the data with the MCMC last week,” the website said.

“The MCMC is following up with the relevant agencies to determine the source of the breach, but we now believe that the data was already being traded online much earlier than we first estimated. Based on the condition of the files that we obtained, we are quite certain that it has already changed hands more than once.”

As a result of the breach, MCMC chief executive officer Mazlan Ismail said it had recently met with the telco providers to ensure they “understand what is going on if the police approach them to facilitate investigation.”

He however did not say when the meeting took place.

TODAY attempted to get further information from MCMC but a spokesperson said that it will not be commenting further.

“The police are leading the investigation and because it is still ongoing, we will not be making any statements at this point in time,” said the spokesperson.

Any person found guilty of selling personal data can be fined up to RM500,000 (S$160,971.88) or jailed for a maximum of three years or both under Malaysia’s Personal Data Protection Act.

The legislation was enacted in 2010 to protect personal data of Malaysians from being misused.

MCMC also has a general consumer Code of Practice for the communications and multimedia industry, where it spells out measures service providers should take to provide adequate security for personal data.

Nevertheless, the data breach has left Malaysians worried.

Mr Royce Cheah said he and his wife received an average of one call a week from companies offering personal loans and credit cards, property promotions and invitations to go for health screenings — and he suspects these companies obtained their phone numbers from other sources which may not be strictly legal.

“Someone’s selling the data obviously — which means someone’s buying. As to how the data is obtained, well it would have had to be stolen or taken from somewhere right?” said the human resource recruiter.

“While these phone calls may be an annoyance, I think the more worrying part is that the data obtained may include addresses and IC numbers and far more sinister things could be done with all that information.”

Writer and translator Pauline Puah said Malaysians need to be careful in not divulging personal information such as phone numbers and addresses on public forums or online group chats.

“Those with young children have got to be particularly vigilant, if they want to share pictures of their children make sure it is restricted among family and friends only instead of at a public forum,” she said. AGENCIES with additional reporting by EILEEN NG.