data leak is

(Photo by Arif KARTONO / AFP)

Relax…it’s only data of 22.5 million Malaysians leak online

While most organizations and governments around the world would be scrambling whenever a data breach occurs, the Malaysian government seems to be handling it at a very calm pace.

For most companies, any data breach or data leak could end up with the organization facing huge financial losses and even having its reputation tarnished. And in some cases, the data recovered back could have already been tampered, causing more concerns for those affected.

As millions of Malaysians are worried that their personal data could go into the wrong hands following an alleged data leak at the National Registration Department (NRD), the government has assured the public that the situation may not be as serious as it seems.

In fact, the Home Minister of Malaysia stated that the alleged data leak containing information of 22.5 million Malaysians is not from the NRD as there was a mechanism in place which could prove that the leaked information did not come from the department.

Local tech portal Amanz had initially reported that a database allegedly from the NRD about 160GB in size, was being sold for US$10,000 on the dark web. The data contained information on 22.5 million Malaysians born between 1940 and 2004.

This is not the first time the NRD has been breached.  Last year, a database of about 4 million Malaysians from the NRD also made its way to forums on the dark web and was sold on it.

While a probe on the breach as well as investigations are ongoing, many Malaysians are concerned about the state of cybersecurity in government agencies especially with data leaks becoming increasingly common.

Phillip Ivancic, APAC Head of Solutions Strategy, at Synopsys Software Integrity Group shares the same sentiments. For him, although authorities are yet to confirm the details, a mass data breach of the national identity database should be of grave concern to all Malaysians.

The type of information reportedly included in the data breach such as national identity numbers, dates of birth, address, gender, religion, and official ID photographs, could indeed be used by criminal groups to attempt identity fraud against Malaysian citizens. Criminal groups may attempt to take out loans or commit other financial fraud using the identity information on file.

“I’m sure the Malaysian authorities will provide official advice, but I would strongly encourage all Malaysians to change their passwords and, if they haven’t already, ensure that they have signed up to get alerts from official credit bureau sources to alert them if any loan, buy now pay later or credit card is taken out in their name. Passwords should be as long as possible. A trick I often recommend is to make your password a passphrase, for example, a small sentence you will remember, like “Ihave2petcats,and2petdogs” would make a strong password,” commented Ivancic.

Meanwhile, Garrett O’Hara, Mimecast field chief technologist feels that the data leak could have been caused by many reasons. He explained that this depends on how the data breach occurred and at this stage, there isn’t enough information.

“If it was through the myIDENTITY API, as has been suggested by various sources, it may be that there is additional work required to secure the API endpoints against unauthorized access, or perhaps throttling to avoid data harvesting. A thorough, post-incident analysis can highlight the learnings required to make an organization more cyber resilient in the future,” said O’Hara.

O’Hara added the NRD being unaware of the data leak is also a common occurrence. Many organizations do not realize they have had a data breach until they are informed by another organization. There are services to monitor the dark web for data sets or information related to a particular company or organization.

Often the first time an organization learns about their data being breached is when they get a phone call from someone who has found a dataset on an underground data broking platform.

General good cyber security practice would ensure organizations use strong technical security controls like email security, endpoint, and web, in addition, to secure processes for data access and handling, as well as having staff well trained on best practice cyber security,” said O’Hara.

This mitigates some of the risks of a data breach. Data leaks caused by a user deliberately or accidentally exfiltrating data through channels like email, USB drives, or online storage tools can also be mitigated by Data Leak Prevention tools. These tools examine data channels for accidental or unauthorized sending of data and can automatically block the data before it becomes a breach situation.

With that said, the Malaysian government may have to show a bit more attentiveness when it comes to dealing with data leaks and breaches. While they may have the situation under control, they still need to be more vigilant and ensure their digital assets and infrastructure are well secured from any cyber threats.