Malaysian Data Breach Could Affect Entire Population
Malaysia has suffered its biggest ever data breach after the personal details of over 46 million mobile subscribers were found being traded on the dark web.
That figure represents more than the 31 million population of the country, and could include foreigners living there.
The targeted telcos include: Altel, Celcom, DiGi, Enabling Asia, Friendimobile, Maxis, MerchantTradeAsia, PLDT, RedTone, TuneTalk, Umobile and XOX.
The breached data includes customer names, billing addresses, mobile numbers, sim card numbers, IMSI numbers, handset models and ID card numbers, according to the site that first broke the news.
However, the breach gets even worse, with data from employment site Jobstreet.com and several government websites also discovered. These are: the Malaysian Medical Council, the Malaysian Medical Association, Academy of Medicine Malaysia, the Malaysian Housing Loan Applications, the Malaysian Dental Association and the National Specialist Register of Malaysia.
Lowyat.net claimed the Jobstreet data featured records on as many as 17 million customers, including names, login names, hashed passwords, email id, nationality, address and phone number.
Over 20,000 records were stolen from the Malaysian Medical Association while 62,000 were taken from the Malaysian Medical Council which registers all doctors in the country. The data included ID card numbers, addresses and mobile numbers.
Malaysian communications and media agency MCMC said it was investigating the incident and confirmed that 42.6 million people were affected.
According to local reports officials have already met with the affected telcos, although the source of the breached data has yet to be disclosed.
Some of the data dates back as far as 2012 but it’s unclear when the breach took place.
ESET security specialist, Mark James, argued that the data could make follow-on phishing attempts highly successful.
“The user can immediately relate to the data and would in most cases follow any instructions that may be within an email, or even through a personal phone call, because in most cases we have no control over what is stored about us online, we have no choice but to comply,” he added.
“If we want the benefits of connected services and the ability for medical organizations to have all the info at hand in case of emergency, in most cases they have to have our most private details."
Source: Information Security Magazine