In a country with a population of 32 million, 46 million subscriber records from Malaysia's main telecoms and network operators have been found for sale on the Dark Web. This suggests everyone was affected, although that the data would also cover people with multiple mobile numbers and likely include inactive or temporary numbers used by visitors to the country.
Local reports say that the data – which includes user-names, prepaid and postpaid phone number, addresses, customer details and SIM card data - may have been successfully traded before it was discovered, having already been in circulation in underground forums.
Malaysian online news site Lowyat.net says the records came from a massive data breach thought to have occurred in 2014 and that the data includes records from major local operators including, DiGi, Celcom, Maxis, Tunetalk, Redtone and Altel.
The data also includes material from other sources, with databases of more than 80,000 compromised records from the Malaysian Medical Council (MMC), the Malaysian Medical Association (MMA) and the Malaysian Dental Association (MDA) according to a report in IBM Times. It does not explain who the culprit is nor how they sourced the data.
Lowyat.netfounder Vijandren Ramadass was reported locally by The Star as saying that it had handed over its sample of the stolen data received from the hacker to the Malaysian Communications and Multimedia Commission.
In an email to SC Media UK, Mark James, security specialist at ESET commented, "As usual with this type of stolen data, the concern is what it's going to be used for. When a user is presented with data that has a certain amount of truth, or even data that is of a known personal nature, then the chances of a successful phishing or scam attack are significantly higher. The user can immediately relate to the data and would in most cases follow any instructions that may be within an email, or even through a personal phone call; because in most cases we have no control over what is stored about us online, we have no choice but to comply. If we want the benefits of connected services and the ability for medical organisations to have all the info at hand in case of emergency, in most cases they have to have our most private details.”
Lee Munson, Security Researcher at Comparitech.com adds, "Data breaches are becoming both more frequent and much larger in size so the news that millions of Malaysians may have been caught up in the country's biggest ever information grab is not that surprising.
“That the data may have come from multiple different sources, albeit primarily telecoms companies, is interesting as it would suggest the hacker, or hackers, behind the masses of personal data for sale have either been gathering it for some time from multiple sources, or a number of companies have been involved in the illicit sale of personal information.
“Given the nation's previous for internet security, the former is more likely, though that's hardly comforting for the tens of millions of people potentially affected. Quite how the victims of this alleged crime will recover remains unclear until the scope of the breach and validity of the information available for sale are confirmed."
An idea of what the attackers may do with the data was provided by Rod Soto, director of security research at JASK who emailed SC to point out that that the hack of Malaysian telecom operators is just the latest in what has been a significant increase in such malicious activity. He says that, "Based on similar attacks, an objective is to use the stolen information to port phones by calling cellphone carriers. This allows them to receive SMS messages used in two-factor authentication while they reset and take over users' accounts starting with email accounts with access to financial, social media, and corporate accounts. Attacks have also focused on cryptocoin holders and financial services. In some cases, the attacks targeted corporate users, then proceed to target user's corporate close circle or chain of command into changing authentication tokens and trying to access corporate resources."
He adds, "Attacks have shown malicious actors using Google Voice numbers from foreign countries and calling cellphone carriers numerous times until representatives allow porting of phones. In some other cases malicious actors walk into phone dealerships and get phone numbers ported.”