TECH security experts are urging Malaysian companies to invest more in cybersecurity as personal data is being sold and bought on the dark web for as high as RM800,000.

The information is believed to have been gleaned from telcos and medical associations and councils, and involved 46.2 million Malaysian mobile phone subscribers, as first reported by online forum lowyat.net last month.

While Malaysia has been ranked the 12th most online-attacked country in the world, cybersecurity experts say local companies and organisations are still reluctant to ramp up their tech security efforts.

“Malaysian organisations have to change their mentality from thinking ‘if we get compromised’ to ‘when we get compromised’,” said Irene Dima from the International Council of Electronic Commerce Consultants (EC Council).

The EC council, an authority on cybersecurity and an IT security certification body, also said that Malaysia should address the reluctance of companies to hire professionals with cybersecurity skills.

“Even if Malaysian companies are aware of the risks and consequences, they don’t want to allocate the budget for cybersecurity,” Dima said.

She said companies tend not to invest in cybersecurity as it did not show a clear return on investment (ROI) for the organisation.

“But when you are compromised, then you have to cover the expenses of the attack, which is much higher.”

Data trading on the dark web

Kane Lightowler, managing director of Asia Pacific & Japan for Carbon Black cybersecurity agency, said that the hacking and trading of personal data was far more complicated today.

“The dark web is often home to illicit economies and is increasingly being used to buy and sell cyberweapons like ransomware,” he said.

The Malaysian Insight discovered some of the sites that were offering personal data for sale in different formats.

The data is not available as direct download links and is only available to users who know coding and how to surf the dark web.

On some older dark web sites, the data was being sold in bitcoin currency (XBT) ranging from 0.100XBT to 25XBT, depending on the amount of personal data one wanted to buy.

According to currency exchange website XE Currency Converter, 1 XBT currently equals RM32,079.41.

Data priced at 25XBT would thus be worth RM801,985. It is not possible to see whether purchases have been made as they are conducted through private contact with the seller.

Accessing the dark web requires specialised knowledge and tools, like Tor (The Onion Router), a dark web browser designed to prevent browsing activity from being traced back to the user.

Lightowler said that hackers were more sophisticated in their efforts to breach data security.

“Using Facebook, say if an attacker is able to find a potential victim’s habit of going to a certain church or restaurant, they may fake an email from the congregation leader or reservation system at the restaurant and get the victim to click a link that installs malware on their system,” he said.

Lightowler also pointed out that 97% of business establishments in Malaysia are small and medium enterprises (SMEs) and that they often have weaker security infrastructures due to the limitations of financial and human resources.

 “If an SME allows employees to bring their own devices, it may breed problems across the business,” he warned.

Inspector-General of Police Mohamad Fuzi Harun recently said that investigation so far have shown that the Malaysian data breach, believed to be the biggest ever in the country, could have occurred during a data transfer and may have involved employees of a company.

Police have also traced the data breach to an IP address in Oman. – November 20, 2017.