Nacsa launches investigation into alleged leak of four million users’ data
The National Cyber Security Agency (Nacsa) has initiated an investigation into claims that personal information from four million U Mobile subscribers may have been leaked online. According to a report by Christopher Fam for The Star on July 17, 2024, the leaked data was being sold on a dark web forum for US$5,000 (RM23,380) worth of Bitcoin.
The seller claimed the data breach exposed personally identifiable information (PII) such as names, MyKad numbers, addresses, and phone numbers. However, the sample posted appeared incomplete with some records missing details like MyKad numbers and addresses.
U Mobile acknowledged they were aware of the alleged data breach and confirmed they were working closely with authorities to investigate the matter.
U Mobile Data Breach investigation links data to 2014 breach
In a follow-up article by Ian Chee on Lowyat.NET dated July 18, 2024, U Mobile provided additional information on their investigation. They stated that while examining the stolen data closely, preliminary findings suggest the records actually originated from a major data breach in 2014 rather than a new incident.
As the article mentions, in 2014 approximately 46.2 million Malaysian phone numbers and personal records from various medical institutions were leaked online. At the time, it was one of the largest known data breaches.
A U Mobile spokesperson noted “We are continuing to work with the relevant authorities to address this matter and will provide updates once information is secured.”
They reiterated their commitment to data security and cooperating fully with Nacsa’s ongoing probe.
In summary, while hackers recently tried selling what they claimed was a new U Mobile user database leak, the cellular provider’s investigation points towards the compromised information actually stemming from a significant data security incident in Malaysia almost a decade ago in 2014 rather than a fresh breach. Both U Mobile and authorities are still analyzing the full scope and details surrounding this attempted sale of outdated personal subscriber records.