Artur Marciniec - Fotolia

Personal data of 46.2 million Malaysia mobile subscribers leaked

The massive data breach is yet another example of a ‘low and slow’ attack that stays dormant inside networks for years, without anyone noticing

The personal data of more than 46 million mobile phone users in Malaysia was reportedly leaked online in possibly the biggest data breach in the Southeast Asian country.

According to Malaysian technology news website Lowyat.net, the leaked data comprised personal details such as e-mail and billing addresses as well as SIM card information of pre-paid and post-paid mobile subscribers of at least 12 telcos and mobile virtual network operators.

Additionally, the personal data of users of job portal Jobstreet.com, as well as a slew of medical organisations such as the Malaysian Medical Council and the Malaysian Dental Association, was compromised.

The massive data breach first came to light on October 18, when Lowyat was alerted to databases containing the leaked data that had been put up for sale for an undisclosed amount of bitcoin on its online forums.

Based on the dates in the data, the breach was likely to have occurred between 2014 and 2015, according to a Lowyat report. It is uncertain how the breach occurred, though investigations by the local police are ongoing.

“All aspects are still under investigation, so we do not want to make any conclusions that will only complicate the situation,” Mazlan Ismail, chief operating officer of the Malaysian Communications and Multimedia Commission (MCMC), told the Bernama news agency.

Mazlan revealed the MCMC had met with the affected telcos to seek their cooperation and keep them updated on the situation. “This is to ensure that they understand what is happening now, especially when the police, through the Commercial Crime Investigation Department visit them to investigate,” he said.

On its Facebook page, the MCMC had called for the public to avoid making speculations on the data breach until the authorities complete the investigations.

Sanjay Aurora, Darktrace’s Asia-Pacific managing director, said this latest breach is yet another example of a ‘low and slow’ attack that stays dormant inside networks for years, without anyone noticing.

“Traditional defences predicated on chasing after yesterday’s attack fail to spot and stop stealthy ‘low and slow’ attacks of this type. Lateral movements are incredibly difficult to catch, with attackers spending an average of 260 days in a network before striking,” he said.

Aurora said machine learning technology that learns on the job and dynamically recalibrates assumptions in the face of new information will detect and stop similar attacks. He also called for a cultural change against widespread victim-blaming that could deter organisations from coming forward with the evidence of crimes.

Read more about cyber security in APAC

With mounting data breaches around the globe, Asia-Pacific countries such as Singapore and Australia are either planning to enact data breach notification requirements or have already done so.

Although Malaysia has personal data protection laws that require organisations to guard the personal data of individuals against loss, misuse, modification, unauthorised or accidental access, among other obligations, it does not mandate organisations to report data breaches.

Ng Kai Koon, a former director of government affairs at Symantec Asia-Pacific and Japan, had called for Malaysia to implement data breach notification rules as early as 2012, noting that this would instil consumer confidence in the country’s data protection regime in spite of the regulatory overheads and costs to businesses.

CW+

Features

Enjoy the benefits of CW+ membership, learn more and join.

Read more on Data breach incident management and recovery

Start the conversation

Send me notifications when other members comment.

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Please create a username to comment.

-ADS BY GOOGLE

SearchCIO

SearchSecurity

SearchNetworking

SearchDataCenter

SearchDataManagement

Close