ONLINE forum Lowyat.net yesterday published an article on a massive data breach after the country’s internet regulator did not respond upon being alerted to the matter, said founder Vijandren Ramadass.

He said the Malaysian Communications and Multimedia Commission (MCMC) was alerted after posts by a “seller”, aggressively promoting the sale of the data, were first noticed on Wednesday evening.

“The seller had created many new accounts, trying to sell the data. We had to continuously remove them. The accounts were created using many email addresses and new IP addresses.

“As we didn’t get any response or statement from MCMC, we published the article to highlight the breach, based on the information that the seller had posted online.”

He said all information on the seller’s accounts was handed over to MCMC yesterday morning before the article was published.

Ramadass, who is also the website’s chief executive officer and author of the article, added that the seller was believed to have uploaded similar posts on other forums.

He said the article posted on Lowyat contained a warning that it was illegal to sell or purchase the data, and that the information in the article was taken from the seller’s posts, which showed samples of what was up for sale.

“The samples alone, amounting to around 150,000 lines of information, were uploaded by the seller on Google Drive. The full data, according to the posts, comprises more than 50 million lines of data.

“The telco samples that the seller provided contained 100,000 records of handphone numbers, between 6010-200-0065 and 6011-250-73965.

“We cross-checked some of the names in the sample data with public Facebook posts, and noted that the locations in the data were identical to (those stated in) the Facebook profiles.”

MCMC, in a statement published on Facebook today, said the commission and police had launched an investigation into the matter, and urged the public not to speculate until the probe was completed.

“MCMC, together with police, are investigating a report about advertisements selling users’ data, which is believed to have been obtained illegally.

“As a preventive measure, MCMC asked the administrators of Lowyat.net to remove the advertisements. The administrators cooperated and took down the advertisements, as well as the related article.”

Legal rights advocacy group Lawyers for Liberty earlier today slammed MCMC for being undemocratic and violating the government’s guarantee not to censor the internet.

Yesterday, the commission had ordered that Lowyat remove news on the data breach, which involves millions of users and is estimated to have taken place between 2012 and 2015.

The Lowyat article said databases of Malaysians’ personal details, obtained from Jobstreet.com, the Malaysian Medical Association and the Malaysian Housing Loan Applications, among others, were being sold for bitcoins.

It said “the mother lode” was customer data from telecommunications companies, including Celcom, DiGi, Maxis, TuneTalk and Umobile.

The article said the incident “could be one of the biggest data breaches ever in Malaysian history”. – October 20, 2017.