Personal Data Belonging To M'sians Have Allegedly Been Made Public & Being Sold For RM6.60
Without paying a single sen, anyone who knows your name can also allegedly find out the first and last two digits of your identification card (IC) number.
Last year, it was reported that millions of Malaysians' private information were leaked and sold on the dark web.
In less than a year later, a cybersecurity expert said hackers have now published the data on the public Internet, meaning anyone who knows what to search on Google can easily get access to the leaked data.
In a tweet yesterday, 12 June, @Radz1112 revealed that there is an "Open-Source Intelligence (OSINT) tool" found on the Internet that publishes alleged data from the National Registration Department (JPN).
"I wasn't even looking for anyone specific and I'm already finding nombor anggota (the identification numbers of people working in the military or police force)," they said.
"All you need is someone's name and maybe (their) birth year, and you can verify [whether] they're working for the Malaysian police and/or military. This is such an operational security sh-t show. Our national defence just got f--ked."
OSINT refers to the collection and analysis of data gathered from publicly available sources to produce actionable intelligence. The keywords here are "publicly available sources".
The existence of the OSINT tool with data allegedly belonging to Malaysians suggests that not only have citizens' private information been compromised, but also bad actors are not trying to stay discreet with what they have.
@Radz1112 said that the website allows anyone to find someone's information by just keying in their name, identification card (IC) number, car plate number, or phone number
With just the name, one can find:
– the first and last two digits of their IC number, of which the former reveals their birth year
– the state they registered their IC
– their full IC number (need to pay)
With just the IC number, one can find:
– their full name
– their voting details (the federal and state constituencies they vote for)
– the last four digits of their phone number
– their address (city, state, and zip code)
– their sex
– their gender
– their full phone number (need to pay)
– their full address (need to pay)
– their credit report (need to pay)
– their MySejahtera information (need to pay)
With just the car plate number, one can find:
– the first letter of their name
– the total letter count of their name
– the last four digits of their phone number
– the first digit of their IC number
– their full IC number (need to pay)
– their full name (need to pay)
With just the phone number, one can find (must have an account on the website):
– their full name
– the name of the service provider
– the type of their line
– their email
– their purported Commercial Crime Investigation Department (CCID) report
– their full address (need to pay)
– their IC number (need to pay)
When contacted on an end-to-end encrypted messenger, @Radz1112 shared with SAYS that anyone can purchase a citizen's information with just USD3 (about RM13.25)
"So for the account pricing, I noticed there was a tier list..? You know, like those Patreon membership things?" they said.
"Apparently based on the account's membership status, you have a set amount of 'remove my account information from the database' option."
"The highest tier (of membership) was USD10,000 (about RM44,150), if I'm not mistaken."
@Radz1112 worked as a first responder while they were studying cybersecurity. They are currently working in tech, but also pursuing criminology studies.
They told SAYS that the website offered discounts on profile purchases, and they beat themself up for not taking a screenshot of it as the website has since gone offline.
In a screenshot shared with SAYS, it shows how the website lets anyone find out someone's phone numbers as long as they have their full name
The function is called "Search people by ID - Malaysia data OSINT".
The result shows three phone numbers belonging to a person, and if one has an account on the website, the user can view their "personal credit report" and "contact tracing app".
"It doesn’t explicitly state MySejahtera," @Radz1112 answered when asked to clarify the information found under "contact tracing apps".
Most of the sensitive information is hidden behind a paywall, they related.
Another screenshot shows one has to pay a mere USD1.50 (about RM6.60) to purchase the information revealed through their phone number.
"I resorted to publishing this to the public instead of resorting to the agencies because the public should know that this is a real threat," @Radz1112 explained why he posted what he found on Twitter
"I don't think the agencies are doing enough to make people realise how at-risk the population is to doxxing."
Although the website has gone offline as of now, @Radz1112 said it is uncertain whether it was the authorities or the website owner who took it down.
"For all we know, the person who created the site could be doing it temporarily until the heat dies off," they added.
Meanwhile, @Radz1112's tweet has received the attention of DAP Social Media Bureau chairman Syahredzan Johan and he confirmed that what @Radz1112 found was true.
"This means past reports claiming that personal information of citizens was leaked is all true," Syahredzan said in a video.
"What has the government done to address the issue? (Who knows)."
Last month, Defence Minister Datuk Seri Hishammuddin Hussein assured members of the public that his ministry has systems in place to prevent any issues stemming from the latest data leak from affecting national security, reported The Star.
He also denied that the leaked data came from JPN.