Malaysian Data Breach
A particular breach from earlier in the month has gained importance this week. On the 31st of October 2017, it was implied that the private data of virtually every Malaysian citizen had been compromised.
In this briefing we will have a look and what is known so far for this evolving story, and what the implications of an entire country being affected by a cyber attack might be.
Around the middle of October, popular Malaysian tech website lowyat.net reported that large numbers of datasets belonging to Malaysian citizens were being offered for sale on the dark web. Subsequently, Malaysian government agencies and regulators took up their own investigations to address the claim.
The breach jumped in relevance on October 31st when the data was identified as personal records kept by phone companies and the estimated number of stolen records was set to approximately 46 million. With a current population of roughly 32 million people, this implies that the private data of virtually every Malaysian citizen has been compromised.
The excessive 14 million records likely belong to people owning more than one phone or foreigners who had temporarily registered a phone in the country.
Information includes names, phone numbers, device IDs and home addresses.
Who was behind the attack?
No reliable information on the attackers is publicly available at the time of publishing. However the fact that the data was offered for sale implies a commercial motivation. This narrows the list of likely suspects to criminal individuals and organizations. Some media outlets have suggested that North Korea or other state actors motivated by cashflow could also be possible suspects. We will update you if further details should become available.
What are the consequences?
Since practically an entire country was compromised, the consequences of this attack are difficult to predict. We expect to see an uptick in bank fraud and identity theft in Malaysia until affected organizations adapt to the new reality that confidential information about their customers is now freely available.
At the same time, Malaysian law mandates that customer information must be stored securely so the major phone operators will likely face legal action.
Furthermore, the secondary consequences that will come from decreased trust in Malaysian information security will be even harder to predict. The country has a strong tech sector which could be affected, but since major breaches have also taken place in virtually all other teach-heavy nations over the past 24 months, we currently expect the impact to be limited.