Lowyat.net discovered the personal information of pledged organ donors had been available online – and for free – since as early as September 2016
The personal information of over 200,000 Malaysian organ donors and their next-of-kin has been leaked, a local tech portal reported on Tuesday.
Online forum Lowyat.net confirmed that the 290,000 files containing the personal data of pledged donors was made available online as early as September 2016, Reuters reported.
This is the second data breach that Malaysia will have been plagued by in just the past three months, with the first leak happening back in November being considered one of the largest ones in all of Asia.
In this breach, the personal data of more than 46 million Malaysian mobile users was compromised and attempted to be sold online.
The first leak is still under investigation without any arrests being made.
Khalidah Mohd Darus, the commissioner for the Personal Data Protection Department, issued a statement on the organ donor leak, saying the agency was attending to and investigating the “serious incident”, according to the New Strait Times.
The Malaysian Communications and Multimedia Commision (MCMC), the country’s internet regulator, has also agreed to assist the police in probing who is responsible for the data breach, Reuters reported.
The police, however, do not seem as confident in uncovering the source responsible.
Inspector-General of Police Mohamad Fuzi Harun told a group of reporters that he believes the source to be the same as the one who provided Lowyat.net with the tip off for the previous data leak, Today Online reported.
“We are a little suspicious about it, over how it came from the same source. It is something we find strange,” said the inspector-general.
The information at risk of being compromised in this recent breach includes the organ donor’s name, identification card number, ethnicity, home address, contact information, the organs they’d be donating, in addition to information on their next-of-kin.
Lowyat.net expressed grave concern about this latest leak in their report, stating that, though this leak is not as large in scope as the telco one they reported back in November, it does have the potentially very serious implication of revealing the personal information of the elected next-of-kin.
— Lowyat.NET (@LowyatNET) January 23, 2018
“This doubles up the actual number of records leaked to 440,000 and also links two individuals to each other in a binding relationship – whether it may be husband/wife, siblings or parental,” the New Strait Times reported Lowyat.net as saying in their report.
In the report, the online forum went on to explain how they suspected the data was initially compromised through a central database, which had its files uploaded in September 2014 through a popular file sharing service.
Information in the database was last updated in August 2016, but the online forum said that, for reasons they were unable to “ascertain”, the personal information collected from 1997 to 2008 was filled with dummy data.
Individuals who had their organ donor information entered between January 2009 and August 2016, however, have been jeopardised.
In an interview given with Reuters, Vjandren Ramadass, the founder of Lowyat.net, explained that he and his team were shocked to find the donor information readily available through a commonly accessed file sharing site, and for free.
“The files are still online now. We did submit a direct request to the host on Sunday to remove the files but we didn’t get any response,” said Ramadass.
Following Lowyat.net’s report, Today Online reported that the Malaysian police had already narrowed down a number of potential suspects responsible for the organ donor data breach.