Malaysia investigating reported leak of 46 million
mobile users' data
Send a link to a friend
[November 02, 2017]
By Rozanna Latiff and Jeremy Wagstaff
KUALA LUMPUR/SINGAPORE (Reuters) - Malaysia
is investigating an alleged attempt to sell the data of more than 46
million mobile phone subscribers online, in what appears to be one of
the largest leaks of customer data in Asia.
The massive data breach, believed to affect almost the entire population
of Malaysia, was first reported last month by Lowyat.net, a local
technology news website. The website said it had received a tip-off that
someone was trying to sell huge databases of personal information on its
The country's internet regulator, the Malaysian Communications and
Multimedia Commission (MCMC), was looking into the matter with the
police, Communications and Multimedia Minister Salleh Said Keruak said
"We have identified several potential sources of the leak and we should
be able to complete the probe soon," Salleh told reporters at
The leaked data included lists of mobile phone numbers, identification
card numbers, home addresses, and SIM card data of 46.2 million
customers from at least 12 Malaysian mobile phone and mobile virtual
network operators (MVNO).
Cybersecurity researchers said the leaked data was extensive enough to
allow criminals to create fraudulent identities to make online
Justin Lie, CEO of Cashshield, a Singapore-based anti-fraud company,
compared the Malaysian case in its "degree of complexity" to the cyber
attack on U.S. credit-scoring agency Equifax Inc, which said in
September that cyber criminals had stolen sensitive information from
145.5 million people.
"Now these hackers have more quality information such as birth dates, IC
numbers, mobile numbers, email address and passwords," Lie said about
the Malaysian attack.
Customers of Malaysia's biggest mobile service providers, including
Maxis <MXSC.KL>, Axiata Group's Celcom <AXIA.KL> and DiGi <DSOM.KL>,
among others, were affected.
MCMC's chief operating officer Mazlan Ismail said on Tuesday the
regulator had met with local telecommunications companies to seek their
cooperation in the probe, according to state news agency Bernama.
Celcom, Maxis and Digi said in separate statements they were cooperating
with authorities on the investigation.
[to top of second column]
Diners check their phones at a restaurant in the main shopping
district of Kuala Lumpur, Malaysia, February 17, 2016.
REUTERS/Olivia Harris/File Photo
"ALMOST EVERY MALAYSIAN"
According to a Singapore-based cybersecurity researcher, the leaked database was
initially being sold on several underground forums for 1 bitcoin, which was
trading on Wednesday at around $6,500. At least one other user was posting a
link for anyone to download it for free.
The researcher, who declined to be named, said he had seen at least 10 people on
an online forum in the "dark web" download the data before it was taken offline.
"Discussion in the dark web shows a huge interest," he said.
Time stamps indicate the leaked data was last updated between May and July 2014,
"We are urging the telco and MVNO companies mentioned above to alert, and start
immediately replacing the SIM cards, of all affected customers, especially those
who have not updated their SIM cards since 2014," Lowyat.net said in a post.
Malaysia's population is around 32 million, but many have several mobile
numbers. The lists are also believed to include inactive numbers and temporary
ones bought by visiting foreigners, The Star newspaper reported.
Bryce Boland, FireEye's chief technology officer in Asia Pacific, said if the
data was widely available as suspected, it could be used for identity fraud and
"This stolen data may ultimately impact almost every Malaysian," he said.
The data also includes private information of more than 80,000 individuals
leaked from the records of the Malaysian Medical Council, the Malaysian Medical
Association, and the Malaysian Dental Association, Lowyat.net said.
Meanwhile, online employment site jobstreet.com sent emails to its customers
saying some personal information of accounts created before 2012 has been
The company confirmed to Reuters that it sent the emails to customers but gave
no further details.
(Additional reporting by Joseph Sipalan; writing by Praveen Menon; Editing by
Bill Tarrant and Peter Graff)
[© 2017 Thomson Reuters. All rights
Copyright 2017 Reuters. All rights reserved. This material may not be published,
broadcast, rewritten or redistributed.