On March 30, AKPK announced that it had discovered that its server containing customer data may have been illegally accessed and it had taken measures to put operational systems offline temporarily. — AZMAN GHANI / The Star
PETALING JAYA: The Credit Counselling and Debt Management Agency (AKPK) said it has confirmed that some data obtained from a data breach, which it announced on March 30, has been published on the dark web today (April 26).
"While our investigation with third-party cybersecurity experts is continuing, it appears that approximately 20 customers have had personal information – names and National Registration Identity Card (NRIC) numbers – published.
"We are working closely with law enforcement and other relevant authorities, including the Communication and Digital Ministry, and CyberSecurity Malaysia, in the ongoing thorough investigation.
"We are also working to identify the specific information that has been illegally accessed and update the customers that have been affected.
"We anticipate and are preparing for the criminals to publish more information including additional customer names and NRICs," AKPK said in a statement to LifestyleTech.
A quick check of the file posted on a data breach website by a ransomware group claiming to be BlackCat on April 25 showed that it contained a list of directories, with limited samples showing documents such as payslips, letters from banks, copies of MyKad, and application forms of individuals joining the agency's Second Chance Program.
The agency said its staff will be on standby to assist customers in matters related to the breach.
"We understand this situation is very concerning and we sincerely apologise. AKPK will continue to do everything we can to mitigate the impact of this breach.
"We are reaching out directly to communicate with all our customers about this security breach and support them in the steps customers can take to safeguard themselves," it said.
On March 30, AKPK announced that it had discovered that its server containing customer data may have been illegally accessed and it had taken measures to put operational systems offline temporarily.
The agency states that the acquisition, use and dissemination of information in the possession of cybercriminals is a criminal offence.
