Artur Marciniec - Fotolia

Personal data of 46.2 million Malaysia mobile subscribers leaked

The massive data breach is yet another example of a ‘low and slow’ attack that stays dormant inside networks for years, without anyone noticing

This article can also be found in the Premium Editorial Download: CW ASEAN: CW ASEAN: European data law – be aware and prepare

The personal data of more than 46 million mobile phone users in Malaysia was reportedly leaked online in possibly the biggest data breach in the Southeast Asian country.

According to Malaysian technology news website Lowyat.net, the leaked data comprised personal details such as e-mail and billing addresses as well as SIM card information of pre-paid and post-paid mobile subscribers of at least 12 telcos and mobile virtual network operators.

Additionally, the personal data of users of job portal Jobstreet.com, as well as a slew of medical organisations such as the Malaysian Medical Council and the Malaysian Dental Association, was compromised.

The massive data breach first came to light on October 18, when Lowyat was alerted to databases containing the leaked data that had been put up for sale for an undisclosed amount of bitcoin on its online forums.

Based on the dates in the data, the breach was likely to have occurred between 2014 and 2015, according to a Lowyat report. It is uncertain how the breach occurred, though investigations by the local police are ongoing.

“All aspects are still under investigation, so we do not want to make any conclusions that will only complicate the situation,” Mazlan Ismail, chief operating officer of the Malaysian Communications and Multimedia Commission (MCMC), told the Bernama news agency.

Mazlan revealed the MCMC had met with the affected telcos to seek their cooperation and keep them updated on the situation. “This is to ensure that they understand what is happening now, especially when the police, through the Commercial Crime Investigation Department visit them to investigate,” he said.

On its Facebook page, the MCMC had called for the public to avoid making speculations on the data breach until the authorities complete the investigations.

Sanjay Aurora, Darktrace’s Asia-Pacific managing director, said this latest breach is yet another example of a ‘low and slow’ attack that stays dormant inside networks for years, without anyone noticing.

“Traditional defences predicated on chasing after yesterday’s attack fail to spot and stop stealthy ‘low and slow’ attacks of this type. Lateral movements are incredibly difficult to catch, with attackers spending an average of 260 days in a network before striking,” he said.

Aurora said machine learning technology that learns on the job and dynamically recalibrates assumptions in the face of new information will detect and stop similar attacks. He also called for a cultural change against widespread victim-blaming that could deter organisations from coming forward with the evidence of crimes.

Read more about cyber security in APAC

  • LogRhythm CEO Andy Grolnick calls for more investments in cyber security technology and processes in APAC amid growing cyber threats in the region.
  • Three-quarters of chief information security officers in Singapore and Australia are highly concerned that data breaches are not being addressed.
  • A majority of publicly listed companies in Singapore had little or no exposure to cyber threats even as the country is being used as launch pad for cyber attacks.
  • Telcos such as Telstra and industry associations in Australia are chipping in to help enterprises that are being targeted by cyber criminals with phishing and social engineering exploits.

With mounting data breaches around the globe, Asia-Pacific countries such as Singapore and Australia are either planning to enact data breach notification requirements or have already done so.

Although Malaysia has personal data protection laws that require organisations to guard the personal data of individuals against loss, misuse, modification, unauthorised or accidental access, among other obligations, it does not mandate organisations to report data breaches.

Ng Kai Koon, a former director of government affairs at Symantec Asia-Pacific and Japan, had called for Malaysia to implement data breach notification rules as early as 2012, noting that this would instil consumer confidence in the country’s data protection regime in spite of the regulatory overheads and costs to businesses.

Read more on Data breach incident management and recovery

CIO
Security
Networking
Data Center
Data Management
Close