KINIGUIDE | On Oct 19, technology portal Lowyat.net reported what may have been the largest trove of stolen personal data in Malaysian history when it found someone attempting to sell the data on its highly popular online forums.

This kicked off an investigation by the Malaysian Communications and Multimedia Commission and the police to find the source of the leak, and the breach was traced to an IP address in Oman.

Investigators also believe that the breaches took place sometime between 2012 and 2015.

At least part of the data that originated from the breaches is still being circulated online.

For this instalment of KiniGuide, we analyse the data to help make sense of the exact nature of the leaks and its implications.

Before we begin, some caveats:

The amount of data involved in the breaches is massive and its provenance unclear. Malaysiakini is unable to verify the data in entirety, nor rule out duplicates before counting the amount of data involved in the breaches.

For telecommunications companies (telco), some of the files are lists of phone serial numbers (IMEI) with no other data associated with it. Other files appear to have been drawn from the same database at different points of time.

Hence, the number of entries that purportedly originated from each telco is larger than the actual number of subscribers affected.

Furthermore, the data analysed, though massive, is not all that was leaked. Lowyat had reported that the leaked data included housing loan applications, which could not be located and is not part of this analysis.

No personal data was or will be published as a result of this analysis. Section 45 of the Personal Data Protection Act 2010 provides for an exemption for data processed for journalistic and public interest purposes.

What does the file look like?

The file comes in the form of a compressed folder (known as a .zip file) that is 3.4 gigabytes in size. Once fully unpacked, it unfurls into over 130 individual files organised into 15 folders, totalling 14.2 gigabytes.

Most of these files are spreadsheet files in either the Microsoft Excel format (.xls and .xlsx) or the comma separated values (.csv) format. There is also one database file in the .sql format.

Who got hit?

Jobstreet.com

Number of entries: 16.3 million

Data leaked: Details of job candidates including name, IC/passport number, address, phone number, email, ethnicity, sex, date of birth, nationality, login information and hashed passwords.

What it means: In terms of privacy implications, this is arguably one of the more serious breaches due to the tendency of most people to reuse their passwords over multiple websites.

The passwords in the database are ‘hashed’, meaning that it had been coded in some way. Depending on how well this is implemented, however, it may be feasible to crack the code and reveal the password.

Jobstreet.com had instructed their users to reset their passwords in January 2017, so these accounts are now secure. However, a savvy hacker may still use the leaked passwords in an attack called ‘credential stuffing’.

This simply involves taking information found in the Jobstreet.com leak and using it to log into other services such as Facebook, email services, and others. If the user had been reusing his passwords and had not changed it since the leak, the trick would work.

You can check if you had been affected via the haveibeenpwned.com. If you have, you should change your passwords for all the services where you had been using the same password.

You should also consider adopting best practices for managing passwords, whether or not you have been affected, such as the one provided by the NGO Electronic Frontiers Foundation.

FXUnited

Number of entries: 1,769

Data leaked: Details of members including: Name, MyKad number, address, phone number, email, password, IP address.

What it means: FXUnited is ostensibly a foreign currency trading platform but had been placed on Bank Negara's consumer alert list since 2015.

The leaked passwords appear to be in plain text and can be read readily, but it also appears to have been randomly generated.

Those affected should change their passwords if this had not already been done, but unlike the Jobstreet.com database, there is little risk of exposing oneself to credential stuffing.

The other personal details still pose a privacy risk, however, as discussed below.

The telcos

Number of entries: Altel (24,273), Celcom (18.0 million), DiGi (13.4 million), EnablingAsia (106, 069), FriendiMobile (6.7 million), Maxis (47.8 million), MerchantTradeAsia (1.8 million), PLDT (149,400), RedTone (246,612), TuneTalk (594,276), UMobile (37.8 million), XOX (79,138).

Data leaked: Details of subscribers, including: Name, MyKad/passport/company number, billing address, phone number, phone brand and model, and serial numbers of the phone and the SIM card (ICCID, IMSI, and IMEI).

What it means: Information about the subscriber’s phones are likely to have limited use given the age of the data and the short life cycles of phones.

However, the personal information leaked would be a treasure trove for marketers and would-be-stalkers, as well as potential criminals looking to study their target.

Together with the MyKad number, and any information that may be gleaned from social media, a scammer can also pull off a more convincing con on their victims by impersonating some authority or a company that the victim has dealings with.

This can be used to dupe the victim into giving up either money, or more information (such as a photocopy of a MyKad) that can be used to perpetrate other crimes. This possibility also applies to almost any leak of personal information.

The medical professionals

Number of entries: Malaysian Medical Council (61,050), Malaysian Dental Association (4,280), Malaysian Medical Association (35,779), National Specialist Register of Malaysia (10,312)

Data leaked: Details of medical professionals including: Name, MyKad/passport number, address, email, phone numbers, membership information, ethnicity, sex, qualifications, security question and answer (National Specialist Register of Malaysia).

What it means: The leak of personal information of doctors, surgeons, and dentists poses much of the same risks as the telcos, except that this is also a social group that is perceived to be well-off.

This could make the data more attractive to marketers and criminals alike.

This is particularly true for the Malaysian Medical Association (MMA) database. While the other three databases only have either a home address or office address, the MMA has both.

In the case of the National Specialist Register of Malaysia (NSR), the leaked database also contains security questions and the corresponding answers, which are typically used to retrieve or reset a password if it is forgotten.

These include the name of the member’s next-of-kin (mothers and spouses seem to be the most popular choices), licence plate numbers, birthdays, place of birth and others.

A check by Malaysiakini reveals that the NSR seems to have discontinued the use of security questions and answers, but the database still contains personal details of its members.

However, if you use the same answers to similar security questions on other platforms, it is possible for someone to reset your password on those platforms if the reset procedure is lax and does not require an email.

It would be best to also change your answers to security questions on other platforms if they were the same as those in the leaked NSR data.

What can one do with just a MyKad number?

Without at least a photocopy of the document, not much can be done that is of consequence.

Many bank and government transactions, for example, may require a photocopy of the MyKad or even a fingerprint verification for an application or transaction to proceed.

However, it can be used to obtain further information on you.

For example, the MyKad number can be used to determine the street you live by searching the Election Commission’s voter registration database, if you are registered as a voter.

If you have unpaid summons, a quick search could also reveal details about your car, including its licence plate number.

The rest depends on how far a scammer is willing to go to commit a fraud, and the checks in place by service providers to make sure they know who they are dealing with.


This instalment of KiniGuide is compiled by KOH JUN LIN.