Malaysia Stung by Massive Data Breach Affecting MillionsMobile Phone Records Appear on Dark Web, Both for Sale and for Free
Malaysian authorities are investigating a sweeping data breach that included more than 46 million mobile phone records, a job seeker website's database and records from several national medical organizations.
The Malaysian Communications and Multimedia Commission, a government regulator, has identified possible sources of the data with help from police, Malaysian government news agency Bernama reported Wednesday.
The country's communications and multimedia minister, Salleh Said Keruak, said his ministry would take "immediate action" to find those responsible for the breach, which violates the country's Personal Data Protection Act 2010, Bernama reported.
So far, it appears that only the job seekers website, called JobStreet.com, has alerted breach victims. Malaysia does not have a mandatory breach notification law, according to the law firm DLA Piper.
The breach is likely the largest in Malaysia to become public, says Bryce Boland, FireEye's CTO for Asia Pacific. FireEye has worked on breach investigations in Malaysia, but he says most never get publicly disclosed.
"I think this is a very big breach in the context of Malaysia," Boland says. "It quite likely impacts every person in Malaysia, or at least a very large subset."
The exposed data includes 46.2 million mobile phone records from a dozen operators and mobile virtual operators in the country. Malaysia's population is about 31 million, suggesting that multiple records for the same people were compromised.
The phone records contain customer addresses, prepaid and postpaid phone numbers and SIM card information, including IMEI and IMSI numbers, reported Lowyat.net, the technology news site that broke the story on Oct. 19.
Lowyat.net stumbled across the data in mid-October after being alerted that someone had posted it for sale for an unspecified amount of the virtual currency bitcoin in one of its forums.
"While we did brush it off as just another scammer looking to make a quick buck at first, we decided to dig a little further and discovered that this could be one of the biggest data breaches ever in Malaysian history," the website writes.
Lowyat.net's scoop caused a kerfuffle. After it published a story on Oct. 19, the Malaysian Communications and Multimedia Commission ordered the publisher to remove the advertisement from its forums, which it did.
But then the regulator ordered the publisher to remove its news story. After at least one human rights group criticized the order, the regulator allowed the publisher to put the story back online.
Lowyat.net, which extensively examined the data, reported the telecom files were last modified between May and July 2014.
The breach encompassed many Malaysian organizations, including the Malaysian Medical Council, Malaysian Medical Association, Academy of Medicine Malaysia, Malaysian Housing Loan Applications, Malaysian Dental Association and the National Specialist Register of Malaysia. The medical database also contained personal information, Lowyat.net reported.
Dark Web Sales
Citing an anonymous researcher, Reuters reported Wednesday that the data was at one time for sale on several underground web forums for 1 bitcoin, currently worth about $6,500. It was also available for free through a link in a forum.
Australian data breach expert Troy Hunt obtained the JobStreet data from a "hidden" website, or one hosted using the Tor anonymity system. He has now loaded the leaked email addresses into Have I Been Pwned, a free website that notifies registered users any time their email address appears in a major data breach.
Hunt says he had access to the other leaked data, but chose to only put JobStreet in HIBP. It was the only data set that had a significant number of email addresses, which his service uses to notify victims, he says.
The JobStreet data included 4 million email addresses, according to Hunt's description on HIBP. The data also included names, genders, nationalities, birth dates, phone numbers, physical addresses, passwords, user names, geographic locations, government issued IDs and marital statuses.
Lowyat.net reported that JobStreet says the data appears to affect users who registered prior to July 2012. The publication included a copy of JobStreet's breach notification email to one user, which is dated Wednesday.
Titled "Important Security Notice," the email says: "There is no evidence to suggest your personal account has been accessed beyond 2012." JobStreet neglected to tell users what data had been leaked, which is considered a best practice.
Hunt says the Malaysian breach is notable because an extensive amount of data from many different sources was collated into one place. Also unique is that someone posted the data and made it available for free while someone else attempted to sell it.
It's likely the data has spread further afield, Hunt says. "It's impossible to say how many parties have now obtained that data, but I expect it's many different hands given the way in which it was published," he says.
Mobile phone data is extremely useful for attackers, FireEye's Boland says. With a phone number, scammers can contact potential victims over SMS or applications such as WhatsApp or Skype, sending malicious links with malicious software. Social engineering attempts could try to trick people into revealing more personal information.
"I would anticipate we will probably see an increase in the number of people targeted by criminals," Boland says.