Report: Alleged JPN Database Leak Leaves 4 Million Citizens' Info Being Sold For RM35,500

A check by SAYS found that the samples of the leaked data contain information belonging to some 60 individuals, all of whom have verifiable addresses scattered around Malaysia.

Cover image via @viralperak (Twitter) & SAYS

Subscribe to our Telegram channel for our latest stories and breaking news.

It is alleged that almost four million citizens' data secured at the National Registration Department (JPN) has been breached and the information is currently up for sale for about RM35,500

The database leak was first highlighted by Twitter user Adnan Mohd Shukor, who Lowyat.NET reported is an intrusion analyst.

The data is currently listed for sale on a "database sharing and marketplace forum". The website is only accessible after using a virtual private network (VPN).

"Malaysia citizen data fresh from Jabatan Pendaftaran Negara (JPN), leaked from through myIDENTITY API," read the forum post, which was published on 24 September.

"Total data is almost 4 million equal to 31.8GB, group by birth year from 1998 to 1979."

Image via SAYS

myIDENTITIY is the government's data-sharing platform that houses citizens' and permanent residents' information. Users can update their information on its website so that they do not have to provide the same information while dealing with government agencies online.

The centralised database is accessible by JPN, the Inland Revenue Department (LHDN), Election Commission (EC), and Road Transport Department, among others,

At the time of writing, the myIDENTITY website is no longer accessible.

SAYS has reached out to JPN and it did not immediately respond to requests for a comment.

According to the seller, the leaked data include people's names, emails, mobile numbers, permanent addresses, and identification numbers

The data also include people's genders, races, and religions in 19 different files.

The seller provided sample images of the database, which checks by SAYS found information of some 60 individuals. Each entry contains the person's address, which can be easily verified as real places in Malaysia.

The screenshots of the database also show whether the account is "active" or not.

Image via SAYS

All data — in comma-separated values (CSV) and JavaScript Object Notation (JSON) formats — is selling for 0.2 Bitcoin, which is approximately RM35,500 at the time of writing

The cryptocurrency is an infamous method of transaction in cybercrimes as hackers can commit their acts and receive payment without being traced.

Lowyat.NET reported that the seller is the same actor behind the sales of databases allegedly collected from a local e-commerce website and the EC. Both sets of data were put up for sale in February for an undisclosed price.

According to the seller's profile on the forum, the person is said to be based in Puchong, Selangor.

Image via SAYS

Today, 28 September, the seller responded to a potential buyer on the forum who requested to only purchase the database of people living in Kuching and Serian, Sarawak, but the seller said they "prefer selling in bulk".

They also provided a set of JSON text to prove that their leaked data is authentic.

On 25 January, Anonymous Malaysia said the government has been irresponsibly allowing data leaks and sales of people's personal information to go on over the past few years:

In 2011, the vigilante cyberactivist group took down 91 government sites for nine hours: