The trove of stolen data included ID card numbers and details on 46 million mobile phones, in a country of only 31.2 million
While large data breaches are becoming increasingly common, the incident remains unusual in its scale, with Malaysia having a population estimated at only about 31.2 million.
Lowyat.net, a Malaysian news site that also operates online forums, said earlier this month it had found an individual attempting to use one of its forums to sell the data.
Late on Monday the site said it had confirmed the data was authentic, although it didn’t specify how the authentication had been carried out.
Data had already changed hands
The site said the files appeared to date from 2014 and to have already changed hands several times.
It wasn’t clear how the data had been obtained, with the variety of sources suggesting it may have been compiled from several distinct leaks. Time stamps on the telco data indicated it was last updated between May and July 2014, Lowyat.net said.
Malaysian mobile operators contacted by local news outlet The Star said they were cooperating with investigators, but none commented on whether they had been hacked.
The telecoms data included 46.2 million mobile phone numbers, including both postpaid and prepaid numbers, along with customer details, addresses and SIM card information such as IMEI and IMSI numbers.
The figure is larger than Malaysia’s entire estimated population, but many mobile users have multiple numbers, and the data could also include numbers no longer in active use.
While the data isn’t sufficient to clone users’ SIM cards, it could expose them to scams. Lowyat.net said since it originally reported the breach earlier in October telcos have taken no action to protect those affected by the breach, such as replacing the affected SIM cards.
Also in the cache were three databases from the Malaysian Medical Council (MMC), the Malaysian Medical Association (MMA) and the Malaysian Dental Association (MDA), 81,309 records in all.
The information they include is more sensitive, with individuals’ identity card numbers (called MyKad), along with mobile, work and home phone numbers and work and residential addresses.
The MMA said it had filed a police report earlier this month, following Lowyat.net’s original report, and said it was planning a security upgrade for its systems.
Lowyat.net said it had handed over its information to the Malaysian Communications and Multimedia Commission (MCMC), which is working with police to investigate.
How well do you know the cloud? Try our quiz!