Following up on our report on 19th October, we can now confirm that roughly 46.2 million mobile phone numbers from Malaysian telcos and mobile virtual network operators (MVNO) have been leaked online.

ADVERTISEMENT

The leak includes postpaid and prepaid numbers, customer details, addresses as well as sim card information – including unique IMEI and IMSI numbers.

Time stamps on the files we downloaded indicate the leaked data was last updated between May and July 2014 between the various telcos. The exact numbers, broken down by telco/MVNO provider, and further broken down by prepaid or postpaid segments are as below.

Telco/MVNO Total Records Last Updated Celcom Prepaid 10,548,183 03-06-2014 Celcom Postpaid 4,194,315 03-06-2014 Digi Prepaid 11,411,815 30-05-2014 Digi Postpaid 2,036,730 30-05-2014 Umobile postpaid + prepaid 3,866,672 30-05-2014 Maxis Postpaid 2,840,741 29-07-2014 Maxis Hotlink 9,562,019 29-07-2014 Friendi Mobile 43,523 29-06-2014 MerchantradeAsia 446,203 07-07-2014 Tunetalk 597,276 unknown Redtone 246,613 30-05-2014 XOX 79,139 30-05-2014 Altel 24,279 unknown PLDT 68,900 17-07-2014 EnablingAsia 212,139 30-04-2014 Total 46,178,547

We are also now fairly certain that the individual who tried to sell the data two weeks back acquired the data in a similar fashion that we did, and tried to make a quick profit by attempting to sell it on our Forums.

We have shared all details regarding the data that we uncovered, as well as how we managed to obtain all the data with the MCMC last week.

The MCMC is following up with the relevant agencies to determine the source of the breach, but we now believe that the data was already being traded online much earlier then we first estimated. Based on the condition of the files that we obtained, we are quite certain that it has already changed hands more than once.

Medical Practitioners Database

Aside from the telco database, we can now also confirm that a total of 3 databases belonging to the Malaysian Medical Council (MMC), the Malaysian Medical Association (MMA), as well as the Malaysian Dental Association (MDA) have also been leaked.

Database Total Records Last Updated Malaysian Medical Association (MMA) 15,965 05-02-2015 Malaysian Medical Council (MMC) 61,062 06-03-2015 Malaysian Dental Association (MDA) 4,282 25-01-2015 Total 81,309

As mentioned in our previous post, these medical databases include personal information, MyKad numbers, mobile/work/home phone numbers, as well as work and residential addresses.

Remedial Action

We first highlighted about this data breach on 19th October, and we are extremely concerned that no remedial action has been taken by the service providers involved to protect those that have been affected by the breach.

In this day where everything is stored electronically, data security breaches are not something to be taken lightly. Any entity, public or private, that stores proprietary or sensitive data electronically could end up having that data stolen or lost – with catastrophic consequences.

While it is the task of the authorities to narrow down the source of the breach, and ensure that a similar incident doesn’t happen again, the key to containing any more serious damage is protecting the individuals affected by the breach.

We are urging the telco and MVNO companies mentioned above to alert and start immediately replacing the SIM cards of all affected customers, especially those who have not updated their SIM cards since 2014. While the leaked data alone isn’t sufficient to clone the SIM cards, the information available can be exploited to initiate multiple social engineering attacks against affected users.



Public awareness of the data breach, as well as vigilance are critical to keeping consumers safe after a data breach. The United States have enacted the Security Breach Notification Laws across 48 states that requires private or governmental entities to notify individuals of security breaches of information involving personally identifiable information – with California enacting it as early as 2002.

8 6 6 9 9 102