PETALING JAYA: The personal data of over 800,000 Malaysians, allegedly syphoned from the MySPR Daftar website, is being sold on an online forum for US$2,000 (RM9,240), to be paid in bitcoin or monero cryptocurrency.

The seller claimed that the database contains the info of 802,259 users, including selfies and MyKad photos that were provided for online voting registration on the MySPR Daftar website through the electronic Know Your Customer (eKYC) system.

The database is alleged to contain over 1.6 million photos, with a file size of 67GB.

According to the uploader, the database also contains the full names, MyKad numbers, email addresses, hashed passwords, phone numbers, birth dates and addresses of voters.

Though the post was first made back on April 11, its existence was highlighted by Twitter user @acaiijawe on Wednesday (Nov 9).

In another post, the uploader is selling the personal data belonging to 22.5 million Malaysians born between 1940 and 2004, allegedly obtained from the My Identity API.

As of the time of reporting, both threads made by the uploader are still up on the forum.

The MySPR Daftar website, launched back in 2019, allowed Malaysians to register as voters online, though with the shift to automatic registration this year, the MySPR system now only functions for changing voting addresses and the application for postal voting for those overseas and other eligible individuals.

The Department of Personal Data Protection declined to comment, saying that the Personal Data Protection Act 2010 (Act 709) doesn't apply to state and federal government bodies, and that the Act served to regulate the processing of personal information in commercial transactions.

CyberSecurity Malaysia (CSM) said it’s still waiting for a response from its tech team, while the Malaysian Communications and Multimedia Commission (MCMC) has yet to respond.