Selfies & MyKad Images Of 800,000 Malaysians Allegedly Being Sold Online
Since its launch in 2019, the MySPR website has allowed people to register online to vote for the upcoming election
However, a user by the name @acaiijawe recently took to Twitter to expose a famous database marketplace that's allegedly selling user data obtained from the MySPR website.
It is believed that the database being sold contains information from over 800,000 users, including their selfies and National Registration Identification Cards (NRICs), that are part of the system's Electronic Know Your Customer (eKYC) implementation, as reported by Lowyat.NET.
Previously, Malaysians had to register through the website in order to vote, but since automatic voter registration was implemented, the feature has been rendered futile
This doesn't necessarily mean that all the previous data on the website is now gone, as the Election Commission (EC) still keeps a database of voters who have registered since the last election. Moreover, overseas voters will still need to use the system to send their postal votes.
To register, users need to submit personal details along with a photo of their NRIC, as well as a selfie taken with the NRIC itself. Meanwhile, members of the Malaysian Armed Forces (ATM) and Royal Malaysian Police (PDRM) will need to show their army or police identification instead.
Data belonging to several users has allegedly been acquired by this seller
In the screenshot posted to Twitter, the seller, who goes by the username @actifedot, claimed that they have information that includes full names, NRIC numbers, e-mail addresses, birth dates, hashed passwords, and full addresses. There were also 67GB of eKYC (Electronic Know Your Customer) images of users.
According to Lowyat.NET, the seller is asking for USD2,000 (approximately RM9,000) via Bitcoin or Monero cryptocurrencies. The listing was reported to have occurred in April, and they claimed to be "in possession of the full electoral roll with details of 22 million voters."
In a report by New Straits Times, CyberSecurity Malaysia and the police are investigating the data breach, but the EC has yet to issue a statement.
Meanwhile, caretaker Home Minister Datuk Seri Hamzah Zainuddin said in a statement, "So far, no report has been made and if there is, we will investigate this issue. However, what I want to emphasise here is that the data obtained from the EC is only the name and identity number. If it comes with the phone number, this means it is a form of fraud."
Read the latest #tech news and stories: