[BreachExchange] Database Seller Strikes Again: Personal Data of 10 Million Malaysian Voters Could Be On The Line

Tue Feb 16 10:45:14 EST 2021

https://www.lowyat.net/2021/232363/10-million-malaysian-voters-database-listed-online/

Following the databases that were said to contain information about
E-Pay Malaysia and Ifmal customers, there is a new listing that
claimed to have 10 million Malaysian voters in its database. The
listing took place last weekend on the same marketplace forum that
featured the two previous databases.

First reported by OMG Hackers, it was put up by the same seller that
claimed to have personal information from 200,000 Ifmal customers
which have since been refuted by the e-commerce platform.

The images that the seller has included in the listing also contained
a reference to the #KitaMintaLima hashtag that has gone viral on
Twitter recently. The seller also claimed that the database is being
split according to individual birth years from 1950 to 1996.

Aside from names, the seller also claimed that the database contains
other details such as IC numbers and addresses. Also noticeable in the
screenshots within the listing are voters’ areas and localities as
well as their assigned state legislative and parliamentary zones.

The seller didn’t put up any pricing inside the listing although it
was noted that the buyer has to pay for the database using either
Monero or Bitcoin. Four days have passed since the listing went online
but the Election Commission of Malaysia (SPR) has yet to release any
official statement regarding it even though the commission is already
aware of the listing according to a report by Harian Metro.

That being said though and you may not be aware of this but the
electoral roll (DPPR) can actually be purchased directly from SPR. Of
course, only a select group of organisations such as political parties
can get their hands on the DPPR which comes in the form of a physical
book and CD.

The pricing of the DPPR for each state legislative and parliamentary
zone are different from one to another as it is generally based on the
number of voters within respective zones. During the 14th General
Election (PRU 14) in 2018, the complete DPPR for the whole of Malaysia
which contained 14,940,624 voters was priced at RM 60,520.20 by SPR
[pdf].

So, if the claim by the sellers of the so-called leaked voters’
database is true, that means the database is likely to be incomplete.
Nevertheless, SPR and related authorities need to address this matter
urgently since it not only involved personal data that belonged to
millions of Malaysians but it has also cast doubts on the ability of
SPR and local political parties or whoever that has access to the
database, to safeguard the information.