THERE is more than one way that the leak of 46.2 million mobile phone subscribers in Malaysia could have had happened, Lowyat.net founder Vijandren Ramadass said, adding that the site’s own investigations showed that the data had been passed around among different users.

By the time the online forum stumbled on the information on October 19, it was free and available as a direct download link on several sites.

According the Vijandren, the files were in different formats and showed file degradation from using various compression software.

This means that the data have been passed between different users, growing in size as more and more information was collected.

“The data are in different formats and compiled in multiple zip files in different formats.

“The reason we know the files are not new is because when you zip (compress) a file, data gets corrupted a bit, so the larger the compression, the more corrupted a file can get.

“And a lot of the files that we got were corrupted.”

This is why it is hard to determine where the breach came from, he said.

Additionally, people online have been sharing the information for years, which makes it even harder to determine when it all started.

Lowyat.net previously said the breach occurred between May and July 2014.

The breaches affected Jobstreet.com, Malaysian Medical Association, Malaysian Medical Council, Academy of Medicine Malaysia, Malaysian Dental Association, National Specialist Register of Malaysia and telecommunication companies, such as Maxis, Celcom and DiGi.

“There were a few places (direct download links) that we found at that time. We have submitted the links to the Malaysian Communications and Multimedia Commission (MCMC) for further action.

“And people who didn’t know thought that this was something new, but after tracking back the user who tried to make a quick buck on our site, we found that someone else had already put it out there,” he said.

It is not easy to breach telco databases with a direct hack, he added. Despite this, the breach could have been caused by various factors.

“Telcos are a closed system. Their data are not even supposed to be accessed by anybody and hence a hack from outside is much harder.

“But it could have been anything, it could be vulnerability in the servers or human error. Or even social-engineering attacks. Someone inside could have pulled the data directly from the server,” he told The Malaysian Insight.

The last method is called social engineering and because it is performed from the inside, there is little point in companies upgrading their cybersecurity to prevent breaches, Vijandran said.

“It is no longer about protecting just your servers, it is also the people working and coming in and having access to your data. That is where the breach happens rather than people physically attacking the server and pulling the data.”

Social hacking

Also known as social hacking, social engineering can allow data thieves access to information more quickly, with greater ease, and more efficiently, said Irene Dima from the International Council of Electronic Commerce Consultants (EC council).

“Hackers these days tend not to even use coding, they just need to perform social engineering,” she told The Malaysian Insight.

Through social hacking, Dima said a hacker may impersonate an employer or anyone close to obtain information like a person’s mother’s maiden name or approval for a bank transaction.

“However, that doesn’t mean that they don’t use tactics like deploying malware via email or even giving your servers or website a vulnerability assessment.

“They can be loads of black hats, they just have their tools and software applications that they can use to screen through websites online to find the loophole and then exploit that, and enter to  the backend to control the system,” she said.

Dima said when hackers breached a system for data, they would stay for a long time to collect as much information as they can and won’t just “grab anything that they can”.

This can be seen in the 46.2 million handphone users’ breach where hackers obtained the leaked data between May and July 2014.

Dima said the EC council, an authority on cyber security and an IT security certification body, has found that Malaysian companies tend to ignore this “end-point security”.

The Malaysian Insight contacted Maxis, Celcom and DiGi on the database breach but has yet to receive a reply.

Dima said: “Take the Bangladesh (central) bank hack last year, the intruders were observing the companies and the banks way before they started withdrawing the money.

“It is not like you are entering a house and you take whatever you see.”

Dima added that companies which handled personal data were also liable for a class-action suit if user data are leaked.

“In Malaysia, customers are protected under the Personal Data Protection Act. If you leak information about someone because your system is compromised, then you are accountable for the leak.”

According to Malaysia’s Personal Data Protection Act, a company managing the data of its clients has to “take practical steps to protect the personal data” in section 9.

“The company may not willingly disclose information to a third party, but when a third party obtains the information through them, it is the same thing.” – November 2, 2017.