A group of hackers claims to possess a dataset that belonged to the National Registration Department (JPN). The dataset has the entire population of the country, 22.5 million Malaysians born between 1940 and 2004 affected.
The database is being offered through the dark web with an asking price of USD10,000 (~RM43,885), as first highlighted by the local tech portal Amanz. However, Lowyat.net searches showed that it took place at a well-known database marketplace forum.
A similar incident happened last year by the same group sometime before September 2021. It involved the dataset of 4 million Malaysians on the dark web at the website Raidforums. The marketplace since has been taken down.
The hackers published the latest listing in the marketplace last month. They mentioned the September 2021’s leak and claimed the source of their new offer was myIDENTITY API which is similar to last year’s listing.
The data-sharing platform myIDENTITY was designed for the public sector. It enabled government agencies to obtain personal details from a centralised repository. Minister of Home Affairs, Hamzah Zainudin said that 104 agencies have received permission to make use of the platform.
As claimed by the seller, the dataset has details of 22.5 million Malaysians including 20 attributes such as name, IC number, address, date of birth, gender, race, religion, mobile number, and Base64-based photo. They proved their point by posting a version of the data sample belonging to Hamzah Zainudin in their listing.
Authorities are pushed to conduct a thorough security audit on the myIDENTITY platform and the agencies that have access to it.