A 2014 data breach may have left the personal details for tens of millions of Malaysians for sale online for “a long time,” according to Vijandren Ramadass, the founder of tech portal Lowyat.net, who uncovered the data leak.
According to a New York Times report, “Malaysia said on Wednesday it was investigating an alleged attempt to sell the data of more than 46 million mobile phone subscribers online, in what appears to be one of the largest leaks of customer data in Asia.”
The leak is alleged to have affected almost every Malaysian and maybe millions of tourists. A user tried to sell the data on Lowyat.net last month.
Ramadass’ investigation into the leak led him to the dark web, where he found web links to download the data, the Times noted. Ramadass said the fact he was able to obtain all the data for free suggested it had been around for a while. Time stamps indicate the leaked data was last updated between May and July 2014.
“Somebody might have already made a lot of money from it, and somebody else decided to release it,” Ramadass told Reuters. “The longer the data it is out there, the more likely it is to be released for free.”
The leaked data might allow criminals to create fraudulent identities to make online purchases, included mobile phone numbers, ID numbers, addresses, and SIM card data. It also contained personal data from some medical associations and a jobs portal, the Times report noted.
It’s crazy to think that this amount of data could wind up for free on the dark web three years after a breach and the organization breached has no idea it ever happened. The mean time to detect is still entirely too long.
This leak could be used from everything from phone cloning to more nefarious activities.
The leak not only puts individuals at risk but also could be used to harm organizations. An attacker could use this data to spoof the mobile device of your CEO or CFO and send you a text message telling you to complete a wire transfer. Any intelligence agency would be more then happy to have access to this much data on mobile users.
Organizations have to ensure they know where their valuable data is and ensure they have controls in place to not only detect the breach but also detect if the data hits the dark web.
This organization had multiple chances along the way to detect the breach, the exfiltration of data and the subsequent posting of the data on the dark web. It’s also quite possible that based on “weird” activities reported from users they may have been able to figure it out. We remain marginally better than 20 years ago in detecting breach activity. We have to get better on this and we have to get better now.