ONLINE forum lowyat.net has raised an alert for another data breach, this time involving 220,000 Malaysian organ donors registered with government hospitals and transplant centres.

The donors’ IC number, full name, name of the donor’s next of kin and nature of relationship, telephone number, address, race, gender and organ to be donated in files dated 1997 to 2016 were online, lowyat.net said.

“The leaked data contains sign up data from government hospitals as well as national transplant resource centres across the country – which would mean that it has been retrieved from a central database,” the report said.

It said the fields in the documents online were similar to those on a government online sign up form at dermaorgan.gov.my.

The data was leaked online as early as September 2016, it said.

The files were divided by year of donor registration from 1997 to 2016. The files from 1997 to 2008 appeared to be filled with dummy data which were useless, while files from January 2009 to August 2016 had complete personal details of 220,000 individuals who registered as organ donors.

“This leak contains one very serious implication where it reveals personal information of a nominated next of kin.

“This doubles up the actual number of records leaked to 440,000, and also links two individuals to each other in a binding relationship – whether it may be husband/wife, siblings or parental,” the article said.

Lowyat.net said the files were dumped on August 19, 2014 and uploaded to a file sharing service on September 29 the same year.

Lowyat.net appealed to all organisations handling personal data to ensure their safety.

Malaysians first heard of a massive data breach on October 19 last year, when lowyat.net reported that the data of 46.2 million mobile phone subscribers had been leaked.

The breach was said to have happened in 2012 to 2015, affecting Jobstreet.com, Malaysian Medical Association, Malaysian Medical Council, Academy of Medicine Malaysia, Malaysian Dental Association, National Specialist Register of Malaysia and telecommunication companies including Maxis, Celcom and DiGi.

Police traced the leak to an IP address in Oman, and said the breach could have taken place during a data transaction and could have involved employees of a company. There has been no news of the case since. – January 23, 2018.