Malaysian mobile subscriber information leaks on the web as Australian government employee records are left exposed.
A double whammy of data breaches from Malaysia and Australia has once again intensified the spotlight on cybersecurity and data hygiene practices of companies and organisations around the world.
According to Reuters, Malaysian authorities are looking into an alleged attempt to sell the data of more than 46m mobile phone subscribers, in one of the biggest data leaks recorded in Asia. The breach was reported first by local publication Lowyat.net, which had received a tip that someone was endeavouring to sell massive amounts of personal data on its forums.
Malaysian breach could affect all citizens
The Malaysian Communications and Multimedia Commission is looking into the matter with the police. Communications and multimedia minister Salleh Said Keruak said yesterday (1 November) that the government had zeroed in on several potential sources, with the probe due to be completed soon.
Data leaked included mobile phone numbers, ID card numbers, home addresses and SIM card data of about 46.2m people from at least 12 mobile phone and network operators in Malaysia.
The leak has been compared to the large-scale breach of Equifax earlier in the year, with criminals possibly able to create false identities to make purchases online.
An unnamed researcher told Reuters that there had been considerable interest in purchasing the data with bitcoin on the dark web before the breach was discovered by authorities.
According to a BBC report, almost every Malaysian could be affected as many people have multiple phone numbers. Tourists on temporary pre-paid numbers may also be affected.
Australian employee information leaked
Meanwhile, in Australia, a report today from iTnews revealed that the personal employee details of nearly 50,000 Australian government agencies, banks and a utility have been exposed online by a third-party contractor.
It looks to be the country’s second-largest data breach after last year’s leak of blood donor information and a total of 48,270 personal records were left exposed on a misconfigured Amazon S3 bucket.
A Polish security researcher known as Wojciech found the exposed data during a search, unearthing full names, phone numbers, IDs, email addresses and some credit card numbers as well as staff expenses and salary information.
Insurer AMP saw 25,000 staff records exposed, followed by services firm UGL and Rabobank. 3,000 records from the Australian department of finance were also exposed as well as some from the country’s electoral commission and the National Disability Insurance Agency.
Unnamed third-party contractor could be at fault
The databases were created as backups in March 2016, and it is suggested that a single third-party contractor is responsible for the breach, although none of the affected bodies have named names.
The Australian Cyber Security Centre said it has secured the information, while AMP also stated that the matter was swiftly dealt with. Other affected companies did not comment.
CEO and founder of CybSafe.com, Oz Alashe, said of the Australian incident: “The information lost in the hack – credit card numbers, passwords, full names, phone numbers and email addresses – can be easily leveraged for convincing, targeted phishing attacks, otherwise known as ‘spear phishing’. All of these details could also quite easily facilitate financial fraud.”
Alashe raised concerns about those employees affected by the breach. “The Australian Cyber Security Centre has purportedly been working with the external contractor since the breach to put in place effective measurements to prevent this happening again. The question remains: what about those affected by the breach? Have these individuals been consulted and advised on what to do, now that their personal details are out in the open?”
Victims of data breaches must be vigilant
Alashe said that passwords need to be changed immediately and credit cards need to be replaced. Victims also need to be wary of future email and telephone conversations, which could be leveraged for scamming.
He also mentioned that the breach occurred through a “publicly available cloud serviced by a third-party supplier”, warning that the issue of weak third-party security practices would not go away any time soon.
He concluded: “In recent years, companies and public bodies are finding that the weak link in their cybersecurity strategy is not, in fact, their own cybersecurity defences. Increasingly, the chink in an organisation’s armour comes from the smaller companies they do business with.”