Why is Malaysia seeing a rise in data leaks, and what is the government doing to stop it?

Malaysians were given a rude shock in April, following the revelation that the personal data of 22.5 million citizens ranging from their full names to identification numbers, home addresses, phone numbers and ID photos, were stolen from government servers and sold on the dark web for a reported price of just US$10,000 (S$14,000).

Barely two months later, Malaysian computer security experts, or “white hat hackers” discovered a website on the conventional internet that offered access to a wide range of personal data of Malaysians.

By simply keying in a portion of a valid ID number, users could gain access to everything from names and addresses to voting constituencies and student loans, suggesting that data leaks were not confined to servers managed by the national registration department but also that of the election commission and financial agencies.

The now-defunct website offered more in-depth data for a price, and even offered to help flush personal information from the database for a US$99 fee.

The white hat hackers, who spoke on condition of anonymity due to the sensitivity of the matter, said the website was likely operated by Malaysians and have reported their findings to the authorities.

These were just two of the latest incidents of data security breaches faced by Malaysians, as the pandemic thrust the country on the path of accelerated digitisation over the past two years amid extended lockdowns and movement curbs that prompted a surge in remote working and e-commerce.

The government had been largely silent about the hacks, albeit for a couple of ministers dismissing concerns of lax data security.

Commenting on the April leak, Home Minister Hamzah Zainuddin on Wednesday shifted blame away from the national registration department and instead pointed to “the internet”, telco companies, financial institutions and other agencies as being the source of the leak.

An official with the office of the Multimedia and Communications Minister, who oversees internet activity in the country, did not immediately respond to a request for comment. Malaysia’s national ID system is widely used for official business and transactions.

An ID number is typically made up of the holder’s birth date and specific codes that represent place of birth and gender.

The personal details of individuals can also be exposed via the licence plate numbers of their cars – which were part of the data sets available on the website.

Personal cost of data leaks

The leak of the vast trove of personally identifiable information (PII) of Malaysians, paired with tools available on the dark web, means criminals could have a field day online, according to Farlina Said, a cybersecurity expert at the Institute of Strategic & International Studies Malaysia.

“Digitisation is also accompanied by the proliferation of tools and crime-as-a-service (CaaS) marketplaces which do make it easier for malware to be replicated and for individuals to conduct criminal activities,” Farlina told This Week in Asia.

Freelance reporter Nor Arlene Tan has intimate knowledge of the extent of the damage that can be wrought by such data leaks. In 2011, her personal information was exposed by malicious hackers who had mistaken her for someone else behind an anonymous online account that sprouted vitriol towards Islam.

She was left emotionally devastated after facing a barrage of hate, including rape threats over the phone.

“Once they have your [national identity card number] they can know everything,” Arlene said.

The act of launching malicious personal attacks online that Arlene faced, known commonly as “doxxing” is just one of the many ways that people can fall victim to criminal activity due to PII leaks.

Police in Selangor, Malaysia’s richest and most populous state, reported 1,354 cases of scams over the first half of this year involving individuals pretending to be an authority figure, such as a police or tax officer, and using PII to convince victims to transfer money to specific accounts as part of their “investigations”.

State police chief Arjunaidi Mohamed has said that existing laws were not adequate to regulate internet cheating offences as they predate online banking and transactions.

To minimise the risk of exposure to online criminal activity, experts suggest that people remove their real names from social media, any indication of birthdays, pictures of their cars, as well as any indication of the state they were born in.

The authorities must also not be complacent as cyber threats are constantly evolving due to the rapid evolution of tactics and technology, said Munira Mustaffa of the Newlines Institute For Strategy And Policy in Washington DC.

“Identity theft, financial scams, uncontrolled and aggressive non-solicited marketing by unscrupulous commercial entities to target consumers and most importantly, the loss of our own privacy are all risks associated with the disclosure of our personally identifiable information,” she said.

Arlene’s photos and personal information can still be found on blogs today, and she worries that the latest leak simply means that even more personal data is “out there”.

“Nothing is private any more,” Arlene said.