KUALA LUMPUR/SINGAPORE (Reuters) - Malaysia is investigating an alleged attempt to sell the data of more than 46 million mobile phone subscribers online, in what appears to be one of the largest leaks of customer data in Asia.
The massive data breach, believed to affect almost the entire population of Malaysia, was first reported last month by Lowyat.net, a local technology news website. The website said it had received a tip-off that someone was trying to sell huge databases of personal information on its forums.
The country’s internet regulator, the Malaysian Communications and Multimedia Commission (MCMC), was looking into the matter with the police, Communications and Multimedia Minister Salleh Said Keruak said on Wednesday.
“We have identified several potential sources of the leak and we should be able to complete the probe soon,” Salleh told reporters at parliament.
The leaked data included lists of mobile phone numbers, identification card numbers, home addresses, and SIM card data of 46.2 million customers from at least 12 Malaysian mobile phone and mobile virtual network operators (MVNO).
Cybersecurity researchers said the leaked data was extensive enough to allow criminals to create fraudulent identities to make online purchases.
Justin Lie, CEO of Cashshield, a Singapore-based anti-fraud company, compared the Malaysian case in its “degree of complexity” to the cyber attack on U.S. credit-scoring agency Equifax Inc, which said in September that cyber criminals had stolen sensitive information from 145.5 million people.
“Now these hackers have more quality information such as birth dates, IC numbers, mobile numbers, email address and passwords,” Lie said about the Malaysian attack.
MCMC’s chief operating officer Mazlan Ismail said on Tuesday the regulator had met with local telecommunications companies to seek their cooperation in the probe, according to state news agency Bernama.
Celcom, Maxis and Digi said in separate statements they were cooperating with authorities on the investigation.
According to a Singapore-based cybersecurity researcher, the leaked database was initially being sold on several underground forums for 1 bitcoin, which was trading on Wednesday at around $6,500. At least one other user was posting a link for anyone to download it for free.
The researcher, who declined to be named, said he had seen at least 10 people on an online forum in the “dark web” download the data before it was taken offline.
“Discussion in the dark web shows a huge interest,” he said.
Time stamps indicate the leaked data was last updated between May and July 2014, Lowyat.net said.
“We are urging the telco and MVNO companies mentioned above to alert, and start immediately replacing the SIM cards, of all affected customers, especially those who have not updated their SIM cards since 2014,” Lowyat.net said in a post.
Malaysia’s population is around 32 million, but many have several mobile numbers. The lists are also believed to include inactive numbers and temporary ones bought by visiting foreigners, The Star newspaper reported.
Bryce Boland, FireEye’s chief technology officer in Asia Pacific, said if the data was widely available as suspected, it could be used for identity fraud and scams.
“This stolen data may ultimately impact almost every Malaysian,” he said.
The data also includes private information of more than 80,000 individuals leaked from the records of the Malaysian Medical Council, the Malaysian Medical Association, and the Malaysian Dental Association, Lowyat.net said.
Meanwhile, online employment site jobstreet.com sent emails to its customers saying some personal information of accounts created before 2012 has been exposed.
The company confirmed to Reuters that it sent the emails to customers but gave no further details.
Additional reporting by Joseph Sipalan; writing by Praveen Menon; Editing by Bill Tarrant and Peter Graff