What You Should Know About The Data Breach Affecting Astro Customers

It is believed that the same person who tried selling customers data online in January resurfaced last week and made a similar offer.

Personal data of Astro customers have been offered for sale online

The matter was first reported by Lowyat.net on Wednesday, 6 June.

It was revealed that the online portal came to know about the data breach back in January 2018, when a seller had promoted the sale of data purportedly belonging to pay TV operator Astro.

According to Lowyat.net, the seller provided samples and claimed to have the following details of 50,000 Astro IPTV customers: names, installation addresses, identity card numbers, mobile phone numbers, and portal ID numbers, as well as subscribed package information

The seller reportedly offered to sell the details for RM3,000 per 10,000 records, which translates to RM0.30 per customer.

Lowyat.net published the report on the matter following the discovery that a seller made a similar offer on the sale of Astro customer details last week

It is believed that the seller is the same person who attempted to sell the data in January.

The portal raised concerns over data security, saying that it had notified Astro and the relevant authorities about the January data breach back then.

It also said that Astro responded with the assurance that they took the protection of customer data seriously.

Lowyat.net also pointed out that the personal data that were being sold had gone up to RM4,500 per 10,000 records, while the seller had claimed to have 60,000 records, which was an increase from the initial 50,000.

Astro has responded to media reports on the issue and offered some clarification:

1. The data breach only affected IPTV customers provisioned by Maxis

Astro explained in a statement yesterday that the management of IPTV customers is a joint responsibility between Astro and its telco partner, Maxis Broadband Sdn Bhd (Maxis).  

"No other Astro customers are affected," it said.

2. Astro said it had taken measures to address the issue the first time it was made aware of the incident

Astro gave a timeline of the sequence of events that took place after it was informed of the data leak in January:

• 26 January 2018: Astro was informed of the data leak. 

• 26 January 2018: On the same day, Astro sought assistance from the Malaysian Communications and Multimedia Commission (MCMC) and had the search engine provider remove the link. All trace of customer data online was immediately removed. 

• 8 February 2018: Astro lodged a police report. 

3. Astro has reiterated that protecting their customer data is of utmost importance to them

"Protecting our customer data is of utmost importance to us and we have complied with all data protection protocols and obligations. In any case we have revalidated all our security measures and confirm they are intact," Astro said.

After knowing that the data have resurfaced, Astro has taken subsequent actions to lodge a second police report yesterday, as well as informing MCMC of the matter. It added that a report will be lodged to the Department of Personal Data Protection and Maxis was requested to extend its assistance with the investigation.

"We are working closely with the authorities to address the issue. We confirm no customer financial data was disclosed. We are also working with Maxis to carry out additional forensic investigations."

You can read Astro's statement in full here:

Leave a comment