The Royal Malaysia Police (PDRM) has opened an investigation paper on the allegation of a data leak which is said to involve 4 million citizens' private information
It was previously reported that data belonging to the National Registration Department (JPN) was leaked through myIDENTITY's application programming interface (API) on the Inland Revenue Board's (LHDN) website.
Information belonging to four million citizens born between 1979 and 1998 is being sold for about RM35,500.
According to Bernama, Bukit Aman Commercial Crime Investigation Department (CCID) director Datuk Mohd Kamarudin Md Din said the investigation was launched after the JPN deputy director lodged a report at the Presint 7 police station in Putrajaya on Monday, 27 September.
Kamarudin said the police will obtain a report from JPN's information technology division and inspect JPN's and LHDN's systems to determine the source of the alleged leak.
He said the police will investigate the case from all angles, adding that he will not rule out the possibility of an inside job
"We have to determine our course of action. This data belongs to us and if it goes out there, scammers will profit," The Star quoted Kamarudin as saying.
He said the police are taking the matter seriously as the leak could lead to more scams.
The police will conduct a thorough investigation in collaboration with the Communications and Multimedia Commission (MCMC), CyberSecurity, and National Cyber Security Agency (NACSA).
The case is currently being probed under Section 4 (1) of the Computer Crimes Act 1997.
Meanwhile, LHDN refuted the allegation that the data was leaked from its department
In a statement yesterday, 28 September, LHDN said it is only a user of the myIDENTITY system, not the owner.
"An internal investigation was conducted and found no leakage of data and information as alleged," the statement read.
"LHDN is also working with the NRD, NACSA, and National Security Council to look into all possibilities regarding the allegations."
It assured that data stored by the agency is secured and advised members of the public to be careful with viral reports, adding that the allegations could be spread by irresponsible parties to mislead and deceive the public.
The data being sold includes people's names, mobile numbers, permanent addresses, identification numbers, and more: