PETALING JAYA: Private information of over a million students and alumni of Universiti Teknologi MARA (UiTM) enrolled between 2000 and 2018 has been leaked in a massive data breach.
The leaked data includes personal details like students’ names, MyKad numbers, house and email addresses, campus codes, campus names, programme codes, course levels, student IDs and mobile numbers.
Tech portal Lowyat.net reported that records of 1,164,540 students had been compromised, affecting records from UiTM campuses around the country, including the main one in Shah Alam.
It also affects students enrolled in UiTM accredited courses at external colleges like Kolej Yayasan Terengganu, Institut Teknologi Perak and Institut Yayasan Bumiputera Pulau Pinang.
The data breach had apparently occurred between February and March last year, according to anonymous sources.
However, UiTM vice-chancellor Emeritus Prof Datuk Dr Hassan Said denied that the university system was hacked, as screenshots of the leaked data didn’t match the formatting of UiTM’s internal system.
“This shows that the information has been edited or manipulated by irresponsible parties, and proves that the information was not gleaned from a hack of UiTM’s systems,” he claimed in a press statement.
He added that UiTM was confident that the security system it had in place was still secure, safe and trustworthy.
Prof Hassan said the university took security seriously, having comprehensive security protocols for the university’s private and official information.
He said UiTM’s cybersecurity system was on par with other organisations in Malaysia, as proven by the Information Security Management System ISO 27001:2013 certificate awarded by Sirim QAS International Bhd on Jan 14.
UiTM is also performing an internal investigation to ensure no wrongdoing by any UiTM staff. Should any proof of wrongdoing be found, the university said it would not hesitate to take legal action against the responsible party.
However, a source informed The Star that a group called 11 Supernova Security had claimed responsibility for the leak on Facebook.
A post on its page on Jan 22 said: “We have all UiTM database ...” with the hashtag #UitmUnderAttack.
Subsequently, it posted an update, claiming that it was not responsible for the leak and that the group had been sabotaged by “certain parties”.
Hack In The Box CEO and security expert Dhillon Kannabhiran said the source of the leak could have been internal.
“It could have been someone working in UiTM who was given clear access to student records for administrative duties,” he said.
Dhillon said leaking personal data online was illegal, even if the intent wasn’t, adding that it was most likely done for “bragging rights”.
“Scammers could call you up and say they have your exact details like MyKad number and home address. They could blackmail you and talk you into transferring money,” he said.
He suggested that victims changed their phone numbers.
CyberSecurity Malaysia (CSM) senior vice-president for cybersecurity responsive services Dr Aswami Ariffin said he was aware of the incident, though the agency had not received a report from UiTM.
He said due to current regulations, CSM cannot begin an investigation until a request or report had been made by the affected party.
Before starting an investigation, CSM could not be sure of the degree of damage done, but Aswami recommended that UiTM alumni changed their passwords and credentials related to the university.
He warned that the leak contained a wide range of sensitive information that allowed hackers to build a profile of the victims through a technique called “data correlation”.
Asked why the information would be leaked openly, rather than kept quietly and sold, Aswami said the hackers could be doing so to create awareness so that the university and government were aware that the system had flaws that could be exploited.
Cybersecurity company LGMS director Fong Choong Fook pointed out that the breach was reported to have occurred last year, thus the information could have already been sold by the original hackers before being leaked by a purchaser, perhaps for political agenda, fame or even to shame someone.
“The personal data leaked is valuable. Imagine I have your full data, I could try to apply for credit cards and even loans from credit companies,” he claimed.
He added that it was an open secret that even legitimate businesses like marketing and advertising firms would want such data for targeted advertising.
Asked if there was anything that the affected alumni could do to mitigate the damage, Fong said there was not much they could do, though if the database contained their password hashes, the victims should change these at once.
On June 6, last year it was reported that Astro IPTV (Internet protocol television) customer data was leaked and being offered for sale on a local forum for as low as 45 sen a record.
Astro clarified that its other customers were not affected, and that the management of IPTV customers was a joint responsibility between Astro and its telco partner Maxis Broadband Sdn Bhd.
At about the same time, the Education Ministry’s online school examination analysis system – Sistem Analisis Peperiksaan Sekolah – had to be taken down after reports emerged of a data breach that leaked the information of 4.9 million students.
One of the largest data breaches in Malaysia occurred in 2017 when the personal details of more than 46.2 million mobile phone subscribers were leaked – also for sale online.