An alleged data leak containing the information of 22.5 million Malaysians born between 1940 and 2004, purportedly stolen from the National Registration Department (NRD), has once again put the country’s data security measures in the spotlight.

Local tech portal Amanz reported that the database, 160GB in size, is being sold for $10,000 on the dark web.

In the screenshot shared by the portal, the seller claimed that this is an expanded database compared to the one he sold in September last year, which was only up to 1998.

In both incidents, it was claimed that the data was siphoned from the NRD through the MyIdentity API (application programming interface). MyIdentity is a centralised data-sharing platform that is used by various government agencies.

Malaysia’s Home Minister Hamzah Zainudin on Wednesday said the alleged data leak did not come from the NRD, but from “several agencies which we have given some leeway for them to obtain information from us”.

He did not name those agencies, or how many agencies had access to MyIdentity data.

Hamzah told reporters after attending an event that there was a mechanism in place which could prove that the leaked information did not come from the NRD.

“Previously, there was a similar allegation but we have managed to prove that the leak was not from the NRD.

“It was from several agencies which we have given some leeway for them to obtain information from us,” he said.

When the first data leak occurred was discovered in September, it allegedly involved the NRD database of people born between 1979 and 1998, and was being sold for 0.2 BTC ($8,000).

But Datuk Seri Hamzah said then: “Don’t worry about data held by NRD. Our firewall is quite strong.”

He said then that all government agencies using the MyIdentity system had been instructed to implement stricter safety measures.

On Wednesday, lawyer Foong Cheng Leong said the lack of transparency on investigations related to data leaks in Malaysia has been frustrating.

“There needs to be an account of how the matter is being investigated and what steps are being taken to ensure that the data is secure.

“The information could serve as a deterrent to others and show that there will be consequences for those leaking private information,” he said in a phone interview.

Mr Foong urged fresh investigations to be conducted by the relevant agencies, including the Department of Personal Data Protection (JPDP) to discover if the leak was genuine.

When contacted, JPDP declined to comment at this point.

Mr Foong said the data from the alleged leak could be used by scammers to dupe victims.

“For example, they could pose as an authority figure and present information such as your MyKad number or address to gain your trust.

“They will use this to convince you to give out more details or perform financial transactions,” he said.

When contacted, CyberSecurity Malaysia declined to comment, stating that the matter is under the jurisdiction of JPDP.

And the NRD has yet to respond to requests for information.

THE STAR (MALAYSIA)/ASIA NEWS NETWORK