KUALA LUMPUR: It was reported earlier that at least 46.2 million Malaysian mobile phone numbers including subscriber details and device information have been leaked online.
Sensitive information such as home addresses, MyKad numbers and even SIM card information are possibly jeopardised, and could be vulnerable to social engineering attacks or worse, cloned phones.
In 2016, InfoWatch Analytical Centre registered 44 mega leaks, each compromising more than 10 million personal data records. This figure is twice the number of cases recorded in 2015. The report showed that 73.8% of the data leaks that hit South-East Asia in 2016 used either browsers or Cloud networks.
“If we take the leaked 46.2 million phone numbers, it seems fair to assume that such enormous data volume leakage via the network channel was caused by either an intrusion or a malicious insider,” said InfoWatch Group international business development chief Vladimir Shutemov.
“The owners of leaked phone numbers may become easy targets for social engineering and phishing activities, such as annoying ad calls, spam, and fee-based subscriptions they are unaware of,” he said in an email.
Kaspersky Lab global research and analysis team chief security expert Aleks Gostev says that the damage could be worse.
He believes that as more people rely on their mobile phones as the repository of their data, and the mobile phone number becomes a key identifier, the risk associated with leaked mobile phones numbers increases.
“If an attacker knows your phone number it would be possible to intercept all your communication and transmitting information including bank accounts, two factor authentication SMS, text messages, mobile messenger and geolocation data. Not just your digital life is at risk – with geolocation data you can easily be tracked or stalked,” said Gostev in an email.
Gostev added that cyberattacks on organisations can be subtle and go undetected especially when the attackers have identified the precise information that they want.
A well-planned concerted attack on the right target, he says, can siphon off valuable data in one go, or can keep siphoning data continuously until the hack is discovered and the vulnerability that allowed the intrusion is patched.
As for leakage prevention, Shutemov says that it’s an easy task for any content filtering system to intercept unauthorised transmissions of phone numbers via various channels.
“The database leakage just demonstrates how poor the information flow control is, because any properly configured data leak protection system can block such a leak,” he said. “Such a large-scale transmission of data, including millions of phone numbers, can be identified if there is a government system in place to control traffic in the network.”
Companies which suffer data leaks must immediately notify their customers of the incident and the risks related to the loss of their personal data, said Shutemov, adding that this can be done by educating the users on the core principles of cyber hygiene.
“Users should neither click links nor open attachments in emails received from unknown sources, while remaining heads-up in the case of an apparent fraud,” he explained.
Shutemov added that it would pay to attentively monitor any calls, SMS or banking operations using that particular mobile phone, as well as constantly monitor all banking accounts.
“Also, if there are other applications that are connected to this phone, like GPS tracking of your family members or pets, you must pay attention to them,” he said.