Opposition politician Fahmi Fadzil posed a barrage of questions relating to the appointment of the company managing the PCBS. Source: Fahmi Fadzil

Malaysia’s Internet regulators in legal trouble over massive data breach

MALAYSIA’S Internet regulators are being dragged to court over the massive data breach that involved more than 46 million mobile subscription accounts in the country.

Fahmi Fadzil, communications director of the opposition People’s Justice Party, has filed a civil suit against the Malaysian Communications and Multimedia Commission (MCMC) and Nuemara (M) Sdn Bhd, a private company managing the compromised Public Cellular Blocking Service (PCBS).

“The civil suit is for failing to guarantee the safety of personal information of the mobile users,” Fahmi said during a press conference recently.

“It involves 42 million users. It involves almost all citizens and foreigners living in Malaysia,”

According to Free Malaysia Today, Fahmi said the leaked information contained users’ addresses, IC numbers, dates of birth and other personal information.

He said although the incident took place in 2014, no one had yet to be taken to task over the matter.

“Despite it being a large scale data leak, we have not been told why and how the leak took place, or the measures taken. I hope the civil suit will spur these questions and we will get answers.”

Fahmi said he was also baffled as to why no one had resigned over the matter as practised in other countries.

“In fact, if it is shown that the company responsible failed to guarantee the safety of the users, their contract should perhaps be terminated.”

In the past year, there have been some of the largest data breaches in history with millions of accounts compromised. Source: Shutterstock

Fahmi’s lawyer Syahredzan Johan said the case was based on breach of trust for failing to guarantee the personal safety of mobile users.

“We would like to question what measures were taken before, during and after the leak,” he said.

The PCBS initiative, a service to deactivate phones reported stolen or missing, was launched in 2014, the same year the breach reportedly occurred.

Following the launch of the PCBS, the regulators created the Malaysian Central Equipment Identity Register (MCEIR), which the database containing International Mobile Equipment Identity (IMEI) numbers, a unique serial number to identify every mobile phone in the country.

The MCMC did not manage the PCBS, but outsourced its administration to a private firm.

The discovery of the data breach was first revealed by a Malaysian technology news site called Lowyat.net after someone used its forum to sell large databases containing personal details for an undisclosed amount of Bitcoin.

The databases on offer contained personal details such as mobile phone numbers, identification card numbers, and home addresses, among others. The leak also involved the personal information of 220,000 individuals, whose records were held by the Malaysian Medical Council, the Malaysian Medical Association, and the Malaysian Dental Association.