Critical Infrastructure Security , Cybercrime , Fraud Management & Cybercrime
Malaysian Agencies Investigate Alleged Breach Affecting 13MMaybank - Country's Largest Institution - Denies Data Breach
Malaysian Communications and Digital Minister Fahmi Fadzil ordered an inquiry into an alleged massive data breach affecting around 13 million citizens. The leaks reportedly involve data from Maybank, satellite broadcaster Astro and the Election Commission.
See Also: Cyberwarfare in the Russia-Ukraine War
Fadzil ordered the national cybersecurity specialist agency CyberSecurity Malaysia and the Malaysian Personal Data Protection Department to investigate whether there is a data leak involving the parties concerned and to take legal action if a breach occurred.
On Saturday, Malaysia's largest financial services group, Maybank, denied the alleged claim of a customer data breach. It said on Twitter, "After investigation, it confirms that these accusations are false."
It also said, "We would like to reassure you that your data remains secure [and] private and that no customer data has been compromised. We will continue to prioritize our cyber security measures as customer data protection is of the utmost importance to us."
The leak came to light after a Facebook user named Pendakwah Teknologi tagged Fadzil and shared details about the data leak.
The user shared screenshots of the data available in the breach forum, including information such as username, birthdate, address and identity numbers.
The alleged post on the breach forum was made on Dec. 25, 2022, and said:
- 3.5 million Astro information leaked;
- 1.8 million MAYBANK information leaked;
- 7.2 million SPR information leaked.
In response to Pendakwah Teknologi's post, Fadzil said, "This is a serious alleged leak, involving a large amount of data. I will ask CyberSecurity Malaysia, the Malaysian Personal Data Protection Department to investigate whether there is a data leak involving the parties concerned, and take legal action."
The leak was first uncovered by the ThreatMon, a cyberthreat intelligence platform, on Dec. 26, 2022.
Fadzil on Friday said on Facebook that the Ministry of Communications and Digital, through the Personal Data Protection Department in collaboration with CyberSecurity Malaysia, is seeking feedback from Maybank and Astro to ensure the legitimacy of data ownership.
The investigation uncovered the Maybank account number information on the website in question was invalid or nonexistent. The minister said that the alleged data leak might be in reference to an incident that occurred in 2018.
"Official confirmation from the relevant parties is required for the purpose of a detailed investigation under the Personal Data Protection Act 2010 (Act 709)," Fadzil said.
Regarding the data involving the Election Commission, Fadzil said that the investigation findings will be submitted to the National Cyber Security Agency for further action since it is outside the jurisdiction of Act 709.
The minister also announced that he has submitted a restriction notice to the Malaysian Communications and Multimedia Commission to prevent the public from accessing the alleged website where the data has been posted.