THE Personal Data Protection Commission (PDP), which is under the Communications and Multimedia Ministry, has launched an investigation into the personal data breach of 220,000 Malaysian organ donors.

“The PDP takes note and views the seriousness of the personal data breach incident of the Malaysian organ donors that was alerted by lowyat.net yesterday.

“That issue is being monitored and investigated under the Personal Data Protection Act 2010 (Act 709),” it said in a statement today.

The data breach, which was leaked by online forum lowyat.net, involved donors registered with government hospitals and transplant centres.

Leaked data included MyKad numbers, full name of registrants, names of donors’ closest relatives, contact details, race, sex and organs they wished to donate.

Lowyat.net said the leak occurred as early as September 2016 and the fields in the online documents were similar to those on a government online sign-up form found at dermaorgan.gov.my.

The files are classified according to year of donor registration from 1997 to 2016. The files from 1997 to 2008 appear to be filled with dummy data while those from January 2009 to August 2016 had complete personal details of 220,000 individuals who registered as organ donors.

This is the second known online breach of Malaysian personal data since the massive breach on October 19 last year involving 46.2 million mobile phone subscribers.

The breach was said to have happened in 2012 to 2015, and involved online recruitment site Jobstreet.com, Malaysian Medical Association, Malaysian Medical Council, Academy of Medicine Malaysia, Malaysian Dental Association, National Specialist Register of Malaysia and telecommunication companies, including Maxis, Celcom and DiGi.

Police traced the leak to an IP address in Oman, and said the breach could have taken place during a data transaction and may have involved employees of a company. There has been no news of the case since. – January 24, 2018.