‘Leaked phone numbers can be bought anonymously’
KUALA LUMPUR: A cybersecurity services company warned that leaked data could be used by hackers to carry out social engineering attacks to trick users into divulging their details.
This includes extracting the victim’s financial information and passwords, as well as phone cloning, where the identity of the victim is copied to another phone.
Quann Malaysia, formerly known as eCop Malaysia, released a statement following the leak of 46.2 million mobile phone numbers of Malaysian telcos and mobile virtual network operators.
The leak also includes postpaid and prepaid numbers, customer details, addresses, as well as SIM card information, including International Mobile Equipment Identity, a unique number given to every single mobile phone and International Mobile Subscriber Identity numbers, a unique identifier that defines a subscriber in the wireless world.
Quann Malaysia general manager Ivan Wen said buyers could anonymously purchase 46.2 million Malaysian mobile users data for merely RM32,000, or equivalent to one Bitcoin.
“The sale in Bitcoin means that any company or person can anonymously purchase the whole list from this anonymous hacker.
“Currently, while actual Bitcoin transactions are transparent online, the identities of both the seller and buyer remain anonymous and cannot be tracked,” the statement said.
Wen said few countries had yet to put in place proper Know-Your Customer regulations with regard to Bitcoin purchases.
He said it was high time the country took a different approach in dealing with the spiralling number of worldwide ransomware demands.
“It is almost impossible to stop any sale of the leaked data unless the affected companies pay a ransom to the hacker or data thief.
“This, however, does not guarantee that the data would not be leaked.
“We hope that regulators and policymakers will take action to put in more defined processes and regulations, for example, in the upcoming Cyber Security law, to track the purchase and dealings in Bitcoin among Malaysians so that fraudulent (data) purchases can be tracked.”
Wen said individuals or companies found purchasing the leaked data should be penalised. The hacking only existed as there were buyers to fund the hackers.
Wen also urged the Malaysian Communications and Multimedia Commission (MCMC) to aid Bank Negara Malaysia in drafting regulations to stop such fraudulent purchase.
To safeguard oneself, Wen advised Malaysians who had not replaced their SIM cards since 2014 to do so.
“While SIM cards cannot be cloned with the leaked data, the data that has been breached is sufficient to cause significant damages to unsuspecting users.”
Deputy Inspector-General of Police Tan Sri Noor Rashid Ibrahim said the police were working with MCMC and telco companies to solve the data-leak case, but the investigations would take time due to the technicality of the matter.
Three databases belonging to the Malaysian Medical Council, Malaysian Medical Association and the Malaysian Dental Association had also been leaked.