KUALA LUMPUR: Everyone is a suspect for now, say the police on a purported database leak of personal information of four million Malaysians that is for sale online.

And the police are looking at the possibility of the leak being an inside job.

“We received a report yesterday (Monday) from the National Registration Department (NRD) deputy director in Putrajaya,” said Bukit Aman Commercial Crime Investigation Department (CCID) director Comm Datuk Mohd Kamarudin Md Din.

“From there, we will work backwards to identify where the leak is.

“We will also compare the leaked data to our own database to verify if the information is legitimate,” he said.

The availability of the database was made public on Twitter by Adnan Mohd Shukor, an intrusion analyst, who also shared a screenshot of the database being sold online for 0.2 BTC (RM35,350).

The 31.8GB file purportedly contains names, email addresses, mobile numbers and addresses grouped by birth year from 1979 to 1998.

It was claimed that the data was harvested from the NRD through the MyIdentity application programming interface (API).

MyIdentity is a centralised data-sharing platform that is used by various government agencies. However, the MyIdentity website – which was set up in 2012 – is no longer accessible.

At a press conference in the Jinjang police station, Comm Mohd Kamarudin said that the police do not deny the possibility of an inside job.

“We have to determine our course of action. This data belongs to us and if it goes out there, scammers will profit,” he said, adding that the police are taking the matter seriously as the leak could also lead to more scams.

The Inland Revenue Board (IRB) has denied an online report claiming that the data leak originates from its website through the MyIdentity API.

In a statement, IRB said it is only a user of the service and does not own the MyIdentity system which is under the purview of the NRD.

“An internal investigation was conducted and no data or information leak was found,” it said.

IRB said it is currently cooperating with the NRD, the National Cyber Security Agency (Nasca) and the National Security Council to investigate the allegations.

Adnan said he had informed the relevant parties about the database before going public on Twitter.

He has been on the lookout for the database, as it has been talked about by a number of online sellers for the past few months.

“I have a crawler running to monitor a few specific keywords. I got an alert on Monday morning and found this posting in a marketplace for database breaches and leaks,” Adnan said in a phone interview.

“This is not the first time that such a database with details from NRD has leaked onto this marketplace.

“I believe this database is likely to be legitimate as I have sources who have said they have discovered similar findings,” he claimed.

“I’ve reported previous findings before and felt that there was no progress. Instead, I got some disappointing responses.

“They were more concerned about how I found the database. As this is now public, I hope to see things change,” he said.