Personal data of Malaysians found on sale at website

Searching for someone via a MyKad number, for instance, would reveal the person’s full name, date of birth, gender and house address, claimed an anonymous social media account.


June 13, 2022

PETALING JAYA: The country’s cybersecurity is again under the spotlight as Malaysians’ personal data has been allegedly sold openly on the Internet for a few ringgit.

The existence of the website, highlighted by Twitter user @Radz1112, allowed a person to be searched by name, address, phone number, MyKad or military ID or date of birth.

Searching for someone via a MyKad number, for instance, would reveal the person’s full name, date of birth, gender and house address, claimed @Radz1112, who wanted to stay anonymous.

More detailed information, including MySejahtera vaccination info, loans and credit card applications, was hidden behind a paywall.

“OSINT (open source intelligence) tools are common and they display easily accessible information like a person’s social media, but this is one of the few instances where I am seeing country-specific database leaks being compiled in a single spot,” @Radz1112 said.

He said the website was found via a Google search and that the data might end up in the hands of those who could exploit it for financial gain or nefarious purposes.

“Granted that some of the information is paywalled, you can still do some harm if you have access to the right information,” he said.

Checks on the website found that apart from common data such as identification numbers and addresses, users could also get information based on car number plate and Companies Commission of Malaysia (SSM), among others.

It also contained information believed to be of agencies such as Election Commission, which could be acquired for just about RM20.

Those who wished to have their data removed from the database would have to pay RM436.

The Malaysian Personal Data Protection Department (PDPD) said it had requested for the website to be blocked.

“The website is no longer accessible,” a spokesperson said when contacted yesterday evening.

The Malaysian Communications and Multimedia Commission (MCMC) said they were providing technical assistance upon receiving requests from PDPD.

Chairman of cybersecurity firm LGMS Bhd and cybersecurity consultant Fong Choong Fook, who analysed the website, said it was likely created by Malaysians or people who
were familiar with the local market.

“The data is specific to Malaysia and there is a page to inform users how to buy bitcoin locally to gain access to more information,” he said.

He said the website was likely created just this month, charging as little as 50 cents (RM2.20) for a person’s mobile number.

It also has three other plans offering various levels of access.

“Though the website is labelled as an OSINT tool, in reality, it is actually a pirate site which was put together using stolen information,” he said.

Prior to this, the same domain was used to host another website.

Intrusion analyst Adnan Mohd Shukor believed that the data might have been sourced from publicly available information, third party APIs (application programming interfaces) and possibly from previous data leaks.

He said his peers in the cybersecurity field found it troubling as the website had correlated the data and put it all under one website, allowing bad actors to easily acquire personal information of others.

scroll to top