Bad news for the victims


PETALING JAYA: Mobile phone users who have verified that their personal information is part of the major data breach that came to light recently, also discovered that some of them are victims of a breach within a breach.

After doing a check with their identity card number on sayakenahack.com, many of them found out that handphone numbers they never registered for have been linked to their MyKad.

These are not their old phone numbers which had been terminated or subsidiary numbers that they had used previously. The numbers are new to them.

The website sayakenahack.com was created on Sunday by tech blogger Keith Rozario to enable the public to check if their personal data is among the information that was stolen.

More than 50,000 Malaysians have checked so far. The massive breach is believed to have happened in 2014 and involves the personal details of 46.2 million mobile subscribers in Malaysia.

On Oct 19, a data leak was reported on technology news portal lowyat.net, after an individual attempted to sell the information for an undisclosed amount of Bitcoin, a digital currency.

It is believed to be one of the largest data breaches ever in the country.

From home addresses and MyKad numbers to SIM card information, the private details of almost the entire population may have fallen into the wrong hands.

A company secretary who wished to remain anonymous was shocked to find out that a prepaid number is listed as hers although she has never been a customer of that cellular service provider.

“I have always been using another telco and my only number is a supplementary line to my husband’s for almost 15 years now. I’m guessing my personal information was stolen to register that prepaid number,” she said.

Stolen info: A screenshot of the sayakenahack.com website, which shows the types of data exposed.

An engineer who wished to be identified only as Tan, 36, was surprised to find three mobile numbers linked to him when he only has two.

“That stray number is not even one I used previously. How did someone else register a number using my details?” he said.

Technology strategist Dinesh Nair said there are two possibilities as to how this happened.

“One is that their MyKad numbers have been used. It may not be a postpaid but prepaid number which you can get at conve­nience stores.

“The other possibility is the ‘hygiene’ of the data. It may not have been ‘clean’ (having duplicated records or some errors).

“This is why when Keith published the website, he urged people to test it because it would be pretty hectic to go through millions of entries,” he said, adding that the data seemed to be of good “hygiene” as of now.

Malaysian Communications and Multi­media Commission (MCMC) network security and enforcement sector chief officer Zulkar­nain Mohd Yassin said it would most likely be a case of other people using another person’s identity to register.

He advised mobile subscribers who have discovered this breach to check again with their service providers on accounts under their names and MyKad number.

“The service providers have facilities to check these numbers. We also advise users to lodge a report with their service providers and the MCMC.

“We are serious about this. That’s why you see many compounds issued by the MCMC to service providers in respect of non-compliance with the guidelines of prepaid registrations,” he said.

Bukit Aman Commercial Crime Investi­ga­tion Department director Comm Datuk Amar Singh said its probe into the data breach is still proceeding.

“We are working round the clock,” he added.

Related story:

Tech blogger sets up website for verification

Science Technology , Data Breach