[BreachExchange] JPN data of 4 million Malaysians up for sale?

Tue Sep 28 08:33:28 EDT 2021

https://www.msn.com/en-my/news/national/jpn-data-of-4-million-malaysians-up-for-sale/ar-AAOTQ2X

The personal data of millions of Malaysians aged 23 to 43 kept by the
National Registration Department (JPN) appears to have been put up for sale
online for about RM35,000, an IT expert has claimed on Twitter.

Adnan Shukor also shared a screenshot showing the seller offering the data
of four million people leaked through the Inland Revenue Board (LHDN).

The tax agency is one of 10 government bodies on a shared platform called
myIDENTITY where data from JPN is shared.

MalaysiaNow understands that LHDN is currently investigating the claims.

According to the screenshot, a total of 32GB of data in 19 files contain
the information of those born between 1979 and 1998, with details such as
addresses, mobile numbers and photographs, as well as race, religion and
MyKad identification numbers.

The data is being offered for 0.2 bitcoin, which equals to about RM25,000
at the current cryptocurrency exchange rate.

Meanwhile, an article on popular technology forum Lowyat.net said this was
not the first time the seller was offering personal data for sale.

It said the same seller had put up a database he claimed was siphoned off
from the Election Commission.

The government platform myIDENTITY was launched about a decade ago to ease
the sharing of data of Malaysian citizens and permanent residents.

Apart from JPN and LHDN, the platform also makes the data available to the
immigration department, Road Transportation Department, Election
Commission, Education Service Commission, Social Welfare Department, Labour
Department of Peninsular Malaysia, National Higher Education Fund
Corporation, as well as the police.

The system has made it more convenient for Malaysians in that data need not
be repeatedly entered when dealing with the online forms of government
agencies.

Despite the implementation of the Personal Data Protection Act in 2013,
several cases of personal data leaks have been reported over the years.

These include the 2017 data breach involving more than 46 million
subscribers of major mobile telco services, with details leaked on the dark
web complete with phone numbers and home addresses.

In March, meanwhile, details of hundreds of thousands of credit cards
issued by banks in Malaysia, Singapore, the Philippines, Vietnam, Indonesia
and Thailand were found online in another massive data breach.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20210928/eb809da4/attachment.html>