Malaysia’s cybersecurity has once again come under the spotlight after a netizen found a website that allegedly contains personal details of Malaysians.
The existence of the website was highlighted by Twitter user @Radz1112 and it has allowed a person to searched by name, address, phone number, MyKad or military ID or date of birth.
The user also claimed that searching for someone via MyKad number will reveal the person’s full name, date of birth, gender and house address.
There is more information such as MySejahtera vaccination info, loans and credit card applications but they are hidden behind a paywall.
We have a fucking situation.
— Cyber Guardian 💕 (@Radz1112) June 11, 2022
There’s an OSINT tool already out in the clearnet thats using the leaked Jabatan Pendaftaran Negara database. I just tried it out and holy fuck we are screwed.
I wasn’t even looking for anyone specific and I’m already finding nombor anggota.
“OSINT (open-source intelligence) tools are common and they display easily accessible information like a person’s social media, but this is one of the few instances where I am seeing country-specific database leaks being compiled in a single spot,” the user wrote in a tweet.
He also said the website was found via a Google search and that the data might end up in the hands of those who could exploit it for financial gain or nefarious purposes.
However, as of the evening of 12 June, the website was blank. It appeared to have been taken down or rendered inactive, according to the Down.com URL checker.
Site was found down at 1830hrs, 12th June, 2022. Unknown which entity took it down.
— Cyber Guardian 💕 (@Radz1112) June 12, 2022
Visual confirmation: pic.twitter.com/PYg8tDwmEk
Nonetheless, he advised the public to take the following precautionary steps to prevent those with ill intentions to harm anybody.
- Remove your real name from your social media
- Remove any indications of your birthday
- Delete any pictures of your license plate
- If possible, remove any indications of the state you were born in
The user said the website was a threat to the country’s national defence and the security of the public’s personal data.
According to The Star, the Malaysian Personal Data Protection Department (PDPD) has requested for the website to be blocked and it will be assisted by the Malaysian Communications and Multimedia Commission (KKMM).
Meanwhile, the Chairman of cybersecurity firm LGMS Bhd and cybersecurity consultant Fong Choong Fook, who analysed the website, said the website was likely created by Malaysians or people who were familiar with the local market.
All you need is someone’s name and maybe birth year, and you can verify that they’re working for the Malaysian police and/or military. This is such an operational security shit show. Our national defense just got fucked. pic.twitter.com/bwJMypNPE1
— Cyber Guardian 💕 (@Radz1112) June 11, 2022
“The data is specific to Malaysia and there is a page to inform users how to buy bitcoin locally to gain access to more information,” he said, adding that the website was likely to be created recently and the seller is charging as little as 50 cents (RM2.20) for a person’s mobile number.
It also has 3 other plans offering various levels of access.
“Though the website is labelled as an OSINT tool, in reality, it is actually a pirate site which was put together using stolen information,” he said.
Last month, it was reported that a national registration department (JPN) dataset that contains details of 22.5 million people, with birth years from 1940 to 2004, was on sale for nearly RM44,000 at a database marketplace forum.
