Certainly a breach too far
The leaked personal information of 46.2 million mobile phone users in the country has made them vulnerable to cybercriminals and exposed the shortcomings of the law protecting data.
LAST Saturday, there was a missed call message on the phone. It was an unknown number from Bangladesh, so I ignored it.
When the phone rang, displaying another strange number from the United Arab Emirates on Monday, one word flashed in my mind: wangiri.
The Japanese term means one (ring) and cut. The strategy behind the “missed call” scam, which apparently originated from Japan, is to trick people into calling the number back.
Some people do, thinking that it could have been an important call, while others do so out of curiosity.
Their calls will then be rerouted to a premium number for international calls, where they will hear prerecorded messages promoting exclusive offers, free gifts and even sexual propositions.
The “robocall” messages are designed to keep the person connected on steep charges – as high as US$8 (RM33) per minute.
Weeks later, victims of the fraud will get the bill and find out that they have been cheated.
How do the scammers get the numbers? They buy them on “darknet markets” in the dark web, the part of the Internet that requires special software to access.
These fraudsters hack into systems which deal with connections and payments of customer calls across international mobile networks to con their victims.
But the wangiri scam is just the beginning of our worries. We face much bigger threats.
The police and the Malaysian Communications and Multimedia Commission ( MCMC) are now in the thick of investigations into one of the largest data leaks in the region.
As disclosed by online forum and technology news site lowyat.net on Oct 19, personal information of 46.2 million mobile phone users in Malaysia was breached in 2014 and put up for sale.
The leaked data involved information stolen from at least 12 telcos as well as organisations such as the Malaysian Medical Council, the Malaysian Medical Association, the Malaysian Dental Association and employment portal Jobstreet.com.
The number is 14.2 million more than our current population of 32 million, because many people use more than one mobile phone number, in addition to tourists who used local SIM cards while in the country. In other words, almost all Malaysians and millions of visitors to the country were hit.
The extensive data breach exposed their personally identifiable information (PII), including addresses, birth dates, gender, edu cation, identity card numbers and subscriber identification module (SIM) card information, enabling cybercriminals to create fraudulent identities to steal money.
These crooks could also use the information for social engineering attacks, via emails sent to victims invoking urgency, fear or other emotions, resulting in the person divulging sensitive information or clicking on links containing malware or spyware.
It is shocking that it appears no one knew about the breach until lowyat.net made the expose.
On Nov 16, InspectorGeneral of Police Tan Sri Mohamad Fuzi Harun said police had found solid leads into the leak, adding that workers of a company tasked with transferring the data could have taken advantage of the situation.
Two days later, it was reported that the breach was traced to an IP address in Oman. The police have since narrowed it down to several email accounts and are tracking down their owners.
On Monday, online news portal Malaysiakini said its analysis showed that the enormous data breach could be traced to the Public Cellular Blocking Service (PCBS), initiated by the MCMC in 2013 to bar stolen phones from being used even if the SIM card is changed.
The official launch of PCBS in 2014 led to the creation of the Malaysian Central Equipment Identity Register (MCEIR), a database of International Mobile Equipment Identity (IMEI) numbers, identifying every mobile phone used in the country.
According to the online portal’s report, the telcos compiled a database of their users and handed them over to PCBS, which was not managed by MCMC but outsourced to a private company.
Commercial Crime Investigation Department principal assistant director (cybercrimes and multimedia investigations) Senior Asst Comm Ahmad Noordin Ismail has reportedly confirmed that the company is under investigation over the data breach.
MACC chief commissioner Tan Sri Dzulkifli Ahmad has said that although no report has been received on the matter yet, those with information could come forward.
Coming back to the issue at hand, let’s look at the Personal Data Protection Act (PDPA) 2010, which came into effect on Nov 15, 2013.
It has seven data protection principles – general, notice and choice, disclosure, security, retention, data integrity and access – all of which shield personal information and safeguard consumers and businesses.
Unlawful collection, disclosure or sale of data is punishable with a fine of RM500,000, jail of three years or both. Those who abet or attempt to commit such offences also face the same punishment.
But unlike data protection laws across Europe and the United States, the PDPA does not have mandatory rules to notify affected users of security breaches.
Worse still, there are no provisions under the Act to claim for compensation for distress or damage caused by the leak of information.
According to the FAQ section of the Department of Personal Data Protection, the Act “does not give a specific right to claim for compensation”.
This is unreasonable for users who have no other choice but to provide sensitive personal information to mobile phone service providers.
In all fairness, the Act should provide consumer groups the right to seek collective redress if companies which collect data or entities involved in storing them are found to be responsible for security breaches.