Last year, there had been a massive data leak incident by JPN that involves almost 4 million Malaysians.
Recently, the incident appeared to have repeated itself again with a database seller claiming to be in possession of a dataset that belonged to the National Registration Department (JPN) which has the entire population of the country with birth years from 1940 to 2004.
According to Amanz, the database is currently being listed online with an asking price of USD10,000 (≈RM43,885).
The offer was first noted on a dark web, but our checks showed that there is another listing at a well-known database marketplace forum instead which is much easier to access.
Meanwhile, the seller claimed that the 160GB dataset has 22.5 million rows in it with 20 attributes such as name, IC number, address, date of birth, gender, race, religion, mobile number, and Base54-based photo.
To provide proof that the data is legit, the seller also provided a sample record belonging to Home Affairs Minister Dato Seri Hamzah bin Zainudin. He also attached his IC photo which matches the Minister.
Similar to the September 2021’s leak, the seller claimed that the myIDENTITY API was the source of their new offering.
As noted in our previous report, The myIDENTITY is essentially a national data sharing platform for the public sector, where it allows government agencies to obtain one’s personal details from a centralised repository.
A quick check on the seller’s profile, he had also posted an offer to sell a database allegedly containing information of 802,259 Malaysians obtained from the Election Commission (SPR)’s website a couple of weeks ago.
The worst part of this is that the seller is also selling actual photos of IC as well as electronic Know Your Customer (eKYC) images of people taking selfies while holding their IC.
Meanwhile, JPN and other related government agencies have not responded to this matter but we think that it is about time for the authorities to actually conduct a thorough security audit on the myIDENTITY platform as well as the agencies that have access to it.