By A. Ananthalakshmi and Jeremy Wagstaff
KUALA LUMPUR/SINGAPORE (Reuters) – Personal details of tens of millions of Malaysians obtained from a 2014 data breach have likely been available for sale for a long time, according to the founder of an online portal who revealed the massive data breach this week.
Malaysia said on Wednesday it was investigating an alleged attempt to sell the data of more than 46 million mobile phone subscribers online, in what appears to be one of the largest leaks of customer data in Asia.
Vijandren Ramadass, the founder of tech portal Lowyat.net, uncovered the data leak – which is likely to have affected almost every Malaysian and possibly millions of tourists – when a user tried to sell the data on the portal’s forum last month.
Further investigations by Ramadass led him to the dark web, where he found web links to download the data. He said the fact he was able to obtain all the data – valuable to fraudsters – for free suggested it had been around for a while.
“Somebody might have already made a lot of money from it, and somebody else decided to release it,” Ramadass told Reuters. “The longer the data it is out there, the more likely it is to be released for free.”
Ramadass said the data likely came from multiple sources as the datasets had different formats and fields. Time stamps indicate the leaked data was last updated between May and July 2014.
The leaked data, which cybersecurity experts have said was extensive enough to allow criminals to create fraudulent identities to make online purchases, included lists of mobile phone numbers, identification card numbers, home addresses, and SIM card data of 46.2 million customers. It also contained personal data from some medical associations and a jobs portal.
The country’s internet regulator, the Malaysian Communications and Multimedia Commission (MCMC), has said it is investigating the breach, along with the police, but there has been no official confirmation of the scale of the breach.
The material had been posted on several underground websites, including a Russian hacker forum, in mid-October, according to a Singapore-based cybersecurity researcher.
The Facebook page of a Malaysia-based internet marketing consultant had been offering data whose descriptions sounded similar to the hacked cache on Oct. 4. When the researcher contacted the person running the page, the posting was removed.
A cached version of the page showed it was offering 16 million records, including what it said were the databases of telephone companies, as well as other material that did not appear to match those in the reported leak.
Someone with the same contact details had also been attempting to sell a “database for business and marketing” on a local e-commerce website, Carousell, saying it included names, mobile numbers, addresses and identity card details by location, buildings and roads.
The ad had been uploaded on Oct. 16, and it was not clear if the data was the same as the reported breach. The Carousell user declined to say where the data came from when contacted by Reuters.
Bryce Boland, chief technology officer for Asia Pacific at cybersecurity firm FireEye, said what was unusual about the Malaysian case was that the data sale went public.
“Most of the sales of this kind of data is pretty closed, only to members of trusted networks,” he said. “There’s a lot more data being sold on the underground beyond this particular disclosure.”
The Singapore-based researcher said he was not surprised that organizations and the government had been slow to publicly discuss the breach.
“In Southeast Asia reputation is always an issue,” the researcher said, declining to be named. “Every time there is a breach, they rarely elaborate on it.”
Lowyat’s Ramadass, who first reported on the data leak on Oct. 19, said he has been working closely with MCMC since then, providing the regulator with links to the sites that let users download the data, which had then been blocked.
“The public is still not aware of how serious it is. It’s really up to the telcos and MCMC to educate the public on how the data may be abused,” Ramadass said.
Malaysia’s biggest mobile service providers, including Maxis, Axiata Group’s Celcom and DiGi, among others, have said they are cooperating with authorities, but have not made any comment on what steps customers who may have been affected should take.
Malaysia’s population is around 32 million, but many people have several mobile numbers. The lists are also believed to include inactive numbers and temporary ones bought by visiting foreigners, The Star newspaper reported.
(Reporting by A. Ananthalakshmi in Kuala Lumpur and Jeremy Wagstaff in Singapore; additional reporting by Praveen Menon; Editing by Alex Richardson)