Data leak: Only 44 agencies can access NRD’s databaseMOHD FAIZUL HAIKA MAT KHAZI AND LIZA MOKHTAR
PUTRAJAYA – The Home Ministry is taking a firm measure by limiting only 44 government-related agencies to access Malaysian’s personal data in the National Registration Department (NRD)’s database.
Its minister Datuk Seri Hamzah Zainuddin said the decision was made after the Home Ministry noticed several parties had previously tried to access NRD’s databases and sold 22 million of Malaysia’s private data on technology market forum Lowyat.net priced at USD10,000 (RM43,870).
The exposed personal data, he said, was possibly acquired by various sources such as social websites, telecommunication companies, financial institutions and government agencies including the Land and Mines Department before it was put up for sale in the dark market.
Hamzah’s revelation directly denied the allegations of the personal data being sold by an insider from the NRD.
“Our problem now is there are too many agencies that were given access to Malaysian’s personal data by the NRD through online means.
“As of now, there are 44 agencies that were given access to the personal data by NRD, which include the Companies Commission of Malaysia (SSM), the Inland Revenue Board (LHDN) and so on.
“In fact, there were more agencies allowed to access (the database) before this, however after the data leaked, NRD finally limit the access to only 44 agencies now,” he said during an exclusive interview with Sinar Premium recently.
Hence, he said, the ministry had revoked the access of several agencies following the data leak.
“When we look at the watermark, we could recognise which agency has leaked the data.
“Therefore, we will investigate this matter and prioritise only important agencies that would be allowed to access NRD’s database after this,” said Hamzah.
It was reported that Malaysian’s personal data was on the market at USD10,000 (RM43,870) in a database market forum.
The technology website Lowyat.net showed the NRD data set which contained a whole of 22 million Malaysians personal data was obtainable within the price.
The seller claimed the personal data that included names, identification numbers, addresses and photos along with the data from Election Commission (EC) were also available on the market.
It was no longer a claim as last year, NRD has confirmed a report regarding the trade of four million Malaysian personal data sold on a well-known online forum.
Meanwhile, cyber security expert Dr Suresh Ramasamy said personal data was openly sold on the dark web as there was no observation made to effectively prevent such activities.
“Based on the numbers of data leak incidences, it is undeniable there are exposed personal data that were up for sale openly in the dark web.
“The profit amount is uncertain but it could reach more than thousands through bitcoin,” he told Sinar Premium.
Dr Suresh had previously exposed data leak which involved the Industrial Covid-19 Immunisation Programme explained the leaked data was sold through a forum by one or more individuals.
“The personal data, acquaintances information and any formed of supporting information that is applicable for fraud were sold for profit.
“There were also parties who sold the cybercrime software such as malware, ransomware as services in the dark web sites.
“It could be sold directly to a group of buyers or proxies who received a part of the transactions,” he said.
He then explained that in a certain situation, there were certain research organisations that bought their own data to check how severe was the leakage.
Dr Suresh added other than selling personal data, the dark web also portrayed activities such as bypassing content restrictions imposed by several governments, in fact, one could even get medicine prescriptions, weapons and drug dealing in a few underground forums as well.
Unfortunately, there were no records or list of the transaction, and it was only known by the seller.
However, according to Dr Suresh, the dark web does not only emphasise illegal activities or transactions.
“It was probably unexpected but there are also forums in the dark web where the discussions of advanced coding and so on, but only the bad issues were synonym with the public,” he said.
Dr Suresh, who had 28 years of experience in cyber security, further explained that it was impossible to monitor the personal data transaction on the dark web unless there was a special task force focused specifically on the case.
“The issues related to the dark web have the quality of anonymity. In other words, the activity was exposed but who lies behind it remained unknown,” he said.
However, he explained in several countries, the United States and European Union have witnessed the data personal data selling activities and other suspicious activities in the dark web was stopped by the law enforcement agency.
For the record, dark web was invisible and difficult to penetrate, unless it was accessed on the main internet (onion address) used by the website on the dark web.