Recently, data that presumably belongs to the National Registration Department (JPN) has allegedly been put on sale at a popular database marketplace forum.
It is estimated that the database that was on sale contains important personal information of over 4 million Malaysians including full names, NRIC numbers, mailing and permanent addresses, mobile numbers, and e-mail addresses. The database also is said to involve data of Malaysians born between 1979 and 1998, aged 23 to 42.
4 juta data peribadi rakyat Malaysia diiklan untuk jualan. Dikatakan data dari API myIDENTITY pic.twitter.com/UboJAwPlnC
— Adnan (xanda) Mohd Shukor (@xanda) September 27, 2021
Lowyat reported that the 4 million data, as claimed by the seller, was said to be harvested from the Inland Revenue Board’s LHDN) website through an Application Programming Interface (API) that was meant for myIDENTITY.
For the uninitiated, myIDENTITY is the national data-sharing platform that was launched 9 years ago that allows government agencies to obtain one’s personal data from a centralised repository. The centralised database of personal details was shared by 10 public sector agencies including both JPN and LHDN.
The data leak incident was first brought into attention by a local data Intrusion Analyst, Adnan Shukor, in which he highlighted that the 31.8GB file that made up the database is currently on sale at a marketplace forum. Apparently, this is not the first time that this particular seller has put up a database from Malaysian organisations on sale.
In fact, the seller has done it twice previously. In February, the same seller had listed a database that is said to have come from the local e-commerce platform Ifmal and another set from the Election Commission of Malaysia (SPR).
The previous two listings, however, had not been assigned any prices by the seller as opposed to the JPN’s database. In regards to the database from JPN, the seller had put a price tag of 0.2 BTC, that is equivalent to approximately RM 35,495 at the current market at the time of writing. Quite cheap, isn’t it?
As of now, neither JPN nor LHDN have come forward with an official statement on the authenticity of the matter. Regardless, this data leak incident should be investigated and be taken seriously as it involves millions of locals’ personal data.