KUALA LUMPUR: The personal data of millions of Malaysians were believed to have been offered on the dark web by a locally-run syndicate.
A collaborative effort between the federal Commercial Crime Investigation Department, Cyber Security Malaysia and Personal Data Protection Commission led to the discovery of a website containing over 400 million pieces of personal data involving names, identification numbers, addresses, bank account numbers and telephone numbers.
Access to the portal was granted to those interested for between RM200 and RM800 monthly.
Willing buyers could also purchase the data for between RM1.50 and RM2 each.
Federal CCID director Datuk Seri Ramli Mohamed Yoosuf said they launched a series of raids within the Klang Valley beginning Sept 5 where they arrested five people, including two men believed to be the brains of the operation.
"Based on our checks one of the suspects, a Pakistani man who has been in Malaysia for over 10 years, was responsible for hacking into a number of databases together with a local man.
"The two are believed to have set up the portal in order to sell the personal data collected," he told reporters at CCID headquarters here.
Also present were Personal Data Protection Commissioner Professor Dr Mohd Nazri Kama and Cyber Security Malaysia chief technology officer Wan Roshaimi Wan Abdullah.
Ramli said the 47-year-old Pakistani man who was believed to be the mastermind of the syndicate has been charged under Section 130(4) of the Personal Data Protection Act 2010 for allegedly selling personal data.
"The four others, including three men believed to be illegal debt collectors, have since been released on bail.
"We believe these debt collectors had purchased personal data from the syndicate," he said, adding that they believe there are other syndicates who were also using data from the portal.
He said police were currently working towards identifying the other syndicates involved and bringing them to justice.
When asked if the hackers managed to break into databases belonging to government agencies, Ramli said it was under investigation but declined to elaborate.
"We are also working towards identifying the agencies where the data was stolen from, be it government or private companies.
"We want to sit down with them and discuss ways to increase their security measures to avoid such incidents from reoccuring," he said.