It’s being reported this morning that over 46 million Malaysians have been affected by a severe and wide-ranging data breach, mostly stolen from Malaysian telecoms companies, but also including some 80,000 medical records. Records including mobile phone numbers, names and SIM card data is also among the information stolen. IT security experts commented below.
Kyle Wilhoit, Senior Cybersecurity Threat Researcher at DomainTools:
“The size of this data breach, and the type of data stolen is a particular cause for concern. Data such as addresses, phone numbers, account user names and SIM card data all fall into the definition of PII, and could therefore be used as starting point for further targeted attacks on individuals, with criminals leveraging the information they already have to entice ever-more damaging and valuable information from the victims, via spear-phishing tactics. The leaking of medical information is also very concerning, as this potentially sensitive information being made public could have a severe impact on an individual’s life. The organizations concerned need to remain vigilant to anything unusual appearing in their inboxes and monitor their PII closely.”
Mark James, Security Specialist at ESET:
“As usual with this type of stolen data, the concern is what it’s going to be used for. When a user is presented with data that has a certain amount of truth, or even data that is of a known personal nature, then the chances of a successful phishing or scam attack are significantly higher. The user can immediately relate to the data and would in most cases follow any instructions that may be within an email, or even through a personal phone call; because in most cases we have no control over what is stored about us online, we have no choice but to comply. If we want the benefits of connected services and the ability for medical organisations to have all the info at hand in case of emergency, in most cases they have to have our most private details.
Sadly, we have no control over their resources used in securing this data, so there is nothing we can do when its goes missing except be more vigilant when approached by others. Don’t be afraid to double check phone calls and emails out of the blue when you have not requested a contact, it usually costs nothing to be extra safe and most companies would encourage it.”
Lee Munson, Security Researcher at Comparitech.com:
“Data breaches are becoming both more frequent and much larger in size so the news that millions of Malaysians may have been caught up in the country’s biggest ever information grab is not that surprising.
That the data may have come from multiple different sources, albeit primarily telecoms companies, is interesting as it would suggest the hacker, or hackers, behind the masses of personal data for sale have either been gathering it for some time from multiple sources, or a number of companies have been involved in the illicit sale of personal information.
Given the nation’s previous for internet security, the former is more likely, though that’s hardly comforting for the tens of millions of people potentially affected.
Quite how the victims of this alleged crime will recover remains unclear until the scope of the breach and validity of the information available for sale are confirmed.”