Just last month, it was reported that the private data of over 22.5 million adult Malaysians, in addition to as many as 800,000 selfies of MyKad holders had been leaked from the National Registry Department (JPN). The repository, which came in at a total of 160GB, had been offered for sale by bad actors for a princely sum of US $10,000 (RM43,885) to be paid for in cryptocurrency.
Since then, the Ministry of Home Affairs (KDN) has conducted an investigation into the allegations and have claimed that the leak did not in fact originate from the National Registry Department (JPN). With that being said however, a local cybersecurity expert has revealed that a website is now purportedly selling the private data of Malaysians from as low as RM6.63.
A new site claims to offer private data belonging to Malaysians for sale
As shared by Twitter user @Radz1112, an “Open-Source Intelligence (OSINT) tool” now exists on the ‘clearnet’, otherwise referred to as the publicly accessible layer of the Internet, which allegedly operates using data that was obtained from the previously mentioned JPN breach. For those not in the know, an ‘Open-Source Intelligence Tool’ refers to tools used to canvass, collect, and analyse information from public sources over the Internet to produce actionable intelligence.
We have a fucking situation.
There’s an OSINT tool already out in the clearnet thats using the leaked Jabatan Pendaftaran Negara database. I just tried it out and holy fuck we are screwed.
I wasn’t even looking for anyone specific and I’m already finding nombor anggota.
— Cyber Guardian 💕 (@Radz1112) June 11, 2022
To do so, all one would apparently need is a name and a birth year in order to confirm if the individual in question is attached to either the Malaysian police force, or military. However, more vital pieces of information has been intentionally hidden behind a paywall, and requires users to first create a paid account in order to gain further access.
In speaking with Wau Post through an end-to-end encrypted chat service, @Radz1112 explains that prices for information obtained through the tool start from between US $1.50 (RM6.64) to US $3.00 (RM13.27) for a basic person profile. However, membership tiers can cost upwards of US $10,000 (RM44,250.00). This membership tier would also grant users a ‘remove my profile’ option to delete their own data from the repository. They add that the tool only accepts credit-card payments for high-tier membership options.
What kind of information is accessible?
So what can you glean from the site, exactly?
With your name:
- Your birth year (based on the first two digits of your IC)
- The last two digits of your IC
- Whether you have a registered nombor anggota
- The state where you first registered your IC
- Your full IC number (paid service)
- Your nombor anggota (paid service)
With your IC number or nombor anggota:
- Your full name
- Your voter information (locality, federal & state constituencies)
- Full nombor anggota
- The last four digits of your phone number
- Your address (city, state, zip code)
- Your gender
- Your date-of-birth
- Your full phone number (paid service)
- Your full address (paid service)
- Your credit report (paid service)
- Your MySejahtera information (paid service)
With your car registration plate
- The first letter of the vehicle owner’s name
- The letter count of the vehicle owner’s name
- The last four digits of the vehicle owner’s IC
- The first digit of the vehicle owner’s IC
- The full IC number of the vehicle owner (paid service)
- The vehicle owner’s full name (paid service)
With your phone number (an account is needed for this service)
- The name of the phone number’s owner
- The name of your service provider
- The type of line used by the phone number (land line, mobile)
- Your email address
- Any Commercial Crime Investigation Department (CCID) report tied to the number
- The phone number owner’s full address (paid service)
- The phone number owner’s IC (paid service)
However, the site has apparently been taken down by an unknown entity as of 12th June 2022.
Site was found down at 1830hrs, 12th June, 2022. Unknown which entity took it down.
Visual confirmation: pic.twitter.com/PYg8tDwmEk
— Cyber Guardian 💕 (@Radz1112) June 12, 2022
What can you do to safeguard your data online, in this case? While there is no ‘one-size-fits-all’ approach to cyber security, @Radz1112 advised that users should always consider themselves as their own arch nemesis, and make an educated evaluation on what information posted online can be easily exploited by others. Among them include photos of your own home, your car registration plate, or your outdoor habits.
“The point is to make it just a lil bit harder for a stranger to use your information against you.”
@Radz1112, who is a graduate in Cyber Security with a minor in criminal justice, says that they are currently involved in ‘public-interest cyber security’, and focuses more on aspects of technology that the general public uses, and may be at-risk of. They add that they have also had previous experience working as a first-responder, as well as in the field of criminology prior to graduating.