May 19, 2022
PETALING JAYA – An alleged data leak containing the information of 22.5 million Malaysians born between 1940 and 2004, purportedly stolen from the National Registration Department (NRD), has once again put the country’s data security measures in the spotlight.
Local tech portal Amanz reported that the database, 160GB in size, is being sold for US$10,000 (RM43,950) on the dark web.
In the screenshot shared by the portal, the seller claimed that this is an expanded database compared to the one he sold in September last year, which was only up to 1998.
Registration Department (NRD) through the My Identity API. MyIdentity is a centralised data-sharing platform that is used by various government agencies.
However, when the first data leak allegedly involving the NRD database of people born between 1979 to 1998 was discovered last year which was being sold for 0.2 BTC (RM35,350), Home Minister Datuk Seri Hamzah Zainudin denied there was an intrusion.
“Don’t worry about data held by NRD. Our firewall is quite strong,” he said in a report.
He also said all agencies using the MyIdentity system had been instructed to implement stricter safety measures.
Lawyer Foong Cheng Leong said the lack of transparency on investigations related to data leaks in Malaysia has been frustrating.
“There needs to be an account of how the matter is being investigated and what steps are being taken to ensure that the data is secure.
“The information could serve as a deterrent to others and show that there will be consequences for those leaking private information,” he said in a phone interview.
Foong urged fresh investigations to be conducted by the relevant agencies, including the Department of Personal Data Protection (JPDP) to discover if the leak was genuine.
When contacted, JPDP declined to comment at this point.
Foong said the data from the alleged leak could be used by scammers to dupe victims.
“For example, they could pose as an authority figure and present information such as your MyKad number or address to gain your trust.
“They will use this to convince you to give out more details or perform financial transactions,” he said.
When contacted, CyberSecurity Malaysia declined to comment, stating that the matter is under the jurisdiction of JPDP.
And the NRD has yet to respond to requests for information.