Massive Malaysian telco data breach might be an inside job

INVESTIGATORS in Malaysia have suggested the massive personal data leak of 46 million mobile phone accounts was linked to a subcontractor of the Southeast Asian country’s very own Internet regulators.

On Monday, Inspector-General of Police Mohamad Fuzi Harun said investigators were tracking down the owner of an e-mail account which could help solve the case.

The official’s comment came following reports on the discovery of several file names containing the words PCBS and SKMM, which at least six telecommunications companies used as references related to the leaked data.

SKMM refers to the Malaysian Communication and Multimedia Commission’s (MCMC), the country’s regulator, whole the PCBS is the acronym for its Public Cellular Blocking Service system, a service to deactivate phoneS reported stolen or missing. The PCBS initiative was launched in 2014, the same year the breach reportedly occurred.

According to the New Straits Times, following the launch of the PCBS, the regulators created the Malaysian Central Equipment Identity Register (MCEIR), which the database containing International Mobile Equipment Identity (IMEI) numbers, a unique serial number to identify every mobile phone in the country.

The MCMC did not manage the PCBS, but outsourced its administration to a private firm.

Mohamad Fuzi did not elaborate exactly how the email account was linked to the leak but said the owner had yet to be found.

The discovery of the data breach was first revealed by a Malaysian technology news site called Lowyat.net after someone used its forum to sell large databases containing personal details for an undisclosed amount of Bitcoin.

The databases on offer contained personal details such as mobile phone numbers, identification card numbers, and home addresses, among others. The leak also involved the personal information of 80,000 individuals, whose records were held by the Malaysian Medical Council, the Malaysian Medical Association, and the Malaysian Dental Association.

Lowyat.net founder Vijandren Ramadass said he had informed the regulators about the breach on Oct 18, and published an article on the matter, but the regulators did not make any comment. Instead, the MCMC ordered the publisher to take the story down.

The regulators only acknowledged the breach in a Facebook post the following day, and on Oct 23, it confirmed 46.2 million mobile subscriptions were affected by the breach.

Since the police’s announcement, the MCMC and the country’s Communications and Multimedia Minister Salleh Said Keruak has yet to comment on the matter.

“I don’t want to comment. Ask the MCMC,” Salleh said, as quoted by The Star.

Meanwhile major opposition party People’s Justice Party (PKR) communications director Fahmi Fadzil posted a barrage of questions relating to the appointment of the company managing the PCBS.

“What were the merits or credentials that led to the hiring of the private company to implement the PCBS in 2014?” Fahmi asked in a statement to Tech Wire Asia.

“When did the MCMC identify the occurrence of the data leakage? Or was it only aware of this data leak following Lowyat.net news report on Oct 19?”

Fahmi also asked whether the MCMC and the private contractor would be compensating consumers affected by the leak.

---

---

---

---