A major data leak has reportedly exposed the MyKad information of 17 million Malaysians, sparking fears of potential identity theft and financial fraud.
The incident, allegedly disclosed by a Singapore-based dark web intelligence agency, Stealth Mole’s Fusion Intelligence Center on December 3rd via their X (formerly Twitter) account, has sent shockwaves through the nation.
The firm claims that malicious actors are selling this trove of sensitive data on the dark web, with samples of Malaysian ID cards reportedly shared as proof.
This breach, if it’s in any way true, could represent one of the largest leaks of personal data in Malaysian history.
The National Cyber Security Agency (NACSA) has acknowledged the claims and launched an investigation to determine the authenticity of the alleged breach and its possible scope.
“We understand this is a concerning issue for the public and want to assure you that we are taking it very seriously,” a NACSA spokesperson stated on December 4th to the Star online.
Data Leak and Financial Fraud Often Goes Hand in Hand
The alleged leak raises alarms over how such data could be weaponised.
In recent years, identity theft has surged globally, often leading to financial crimes such as unauthorised credit applications, fraudulent loans, and even phishing schemes.
To put this into perspective, the global identity fraud has risen sharply, with rates reaching 2.50% in 2024, up from 1.10% in 2021.
In Malaysia, financial fraud has been on the rise, with Bank Negara Malaysia (BNM) reporting an increase in cases involving fake banking websites, unauthorised transactions, and other cybercrimes.
As most Malaysians know, our MyKad data mainly includes our full names, IC numbers, addresses, but what most of us don’t know is that it also contains our biometric information.
This presents itself as a goldmine for cybercriminals.
This data could enable the impersonation of individuals, unauthorized access to financial accounts, and the creation of false identities for fraudulent purposes.
Data Leaks Are Not New to Malaysians
Concerns over financial fraud tied to data breaches are not new.
In July this year, Malaysia’s largest bank, Maybank, faced allegations of a potential data leak on the dark web involving its Maybank2u online banking platform.
Despite the bank’s assurances of system security and data protection to its customers, the incident exposed persistent risks associated with data security.
Maybank through a statement emphasised the measures it took and employed to ensure security, such as the use of Secure2U for transaction authentication and a mandatory cooling-off period for high-risk transactions.
In addition to that, the bank also urged its customers to take extra precautionary steps, which is to always stay vigilant, advising them to safeguard their user IDs, passwords, and personal details while remaining cautious of phishing attempts, malware, and unsolicited communications.
Another recent example happened two months ago, where a syndicate in Malaysia was caught stealing and selling the millions of personal data.
The syndicate allegedly hacked databases and stole over 400 million records.
The stolen data included names, IDs, addresses, and bank account details, which the syndicate then sold on a website for RM1.50 to RM2.00 per record or through monthly subscriptions.
The Malaysian Police (PDRM) arrested five suspects, including a Pakistani national believed to be the mastermind and a local man who helped him hack the databases.
As of now, they are also currently investigating the source of the data and working to identify any other syndicates involved.
The Role of National Initiatives
Coming back to the news, the alleged leak underscores the importance of cybersecurity initiatives.
One that comes to mind is the BNM’s National Fraud Portal (NFP), launched in collaboration with Payments Network Malaysia (PayNet).
BNM and PayNet designed the NFP as an integrated platform that automates the end-to-end process of managing fraud reports and tracing stolen funds.
The portal streamlines fraud reporting and analysis, enabling faster responses and more effective collaboration between financial institutions and the National Scam Response Centre (NSRC).
Through the NFP, financial institutions can share information about fraud incidents more effectively, enabling quicker action to recover stolen funds.
The platform also fosters deeper industry collaboration and transparency, empowering financial institutions with tools to protect the public against evolving threats.
Malaysia Must Tie Loose Ends
While investigations into the MyKad data breach are ongoing (plus, it may or may not be true at all), the incident still highlights that there are certain vulnerabilities within Malaysia’s data protection landscape.
It’s time for a more proactive and comprehensive approach to data protection.
This requires a multi-pronged strategy involving strengthening legislation and enforcement, mandating robust cybersecurity measures, empowering individuals and investing in advanced technology.
Featured image credit: Edited from Pixlab and Freepik
UPDATE: Malaysian authorities have confirmed that the news is fake. Read more here.