KUALA LUMPUR: Concerns have been raised over a possible weak spot in Malaysia's cyber security system, which could potentially grant unscrupulous parties access to the data of millions of Malaysians.
The breach allegedly came in the form of an Open Systems Intelligence (OSINT) tool that is available on the publicly accessible Internet, which in theory would allow those with enough know-how access to people's personal data.
Experts claimed that while personal data of individuals had previously been available on the 'dark web', making the information easily procured on 'clearnet', or publicly accessible Internet, is a different ball game altogether.
The alleged data breach was highlighted by a social media user who goes by "Cyber Guardian" via the Twitter handle @Radz1112.
The Twitter user claimed that using the tool, one could verify the data of a person including if he or she was working with the police or military, among others.
"There's an OSINT tool already out in the 'clearnet' that is using the leaked National Registration Department (NRD) database.
"All you need is someone's name and maybe birth year, and you can verify that they're working for the Malaysian police and/or military," the user said in a series of tweets that was also accompanied by screenshots of the alleged search made using the tool.
The user claimed that information related to the MySejahtera application could also be retrieved using the tool. However, the user claimed that one has to pay to get the information.
While none of the claims have yet to be verified, they have caught the attention of DAP Social Media Bureau chairman Syahredzan Johan.
"Yes, there is a site, accessible from a Google search, that will allow anyone to search a Malaysian by their name, IC (identification card number), and/or date of birth.
"If you search a person by name, their 'anggota' ID (identification) number will show up," the same user said in a Twitter exchange with Syahredzan.
The user also claimed that he received many private messages requesting for the website.
"No, I am not going to share it. Somebody could be using it to harm somebody else. This is way too much power anybody should be having," the user said.
Considering such claims, the user also urged Malaysians to remove their real name, any indications of their birthday, delete any pictures of their license plate and the state they were born in from their social media accounts.
"We cannot and should not stop advocating for better national cyber security.
"Just because we are 'doxx-able' (vulnerable to exposure online) from being born before 2004, it does not mean our kids (children) should have to suffer the same fate," said the user.
Syahredzan urged the authorities to take the matter seriously.
"I checked the site, and while detailed data requires registration and payment (which I do not want to do), the personal data seems to be there.
"For example, you just need to search the name of a person and the IC number (redacted) is there. It is very worrying," he said.
The claims came as no surprise to cyber security expert, Fong Choong Fook.
He told the New Straits Times that data concerning the public have been "widely available" even before the alleged NRD data leak issue surfaced.
"Nothing is surprising. The difference is that this author (the Twitter user) claimed that the tools are available on 'clearnet' which is on the public Internet, searchable via Google (search engine)," Fong, who is also the chairman of LGMS Bhd & Cybersecurity Consultant, said.
He, however, said the tool could easily be taken down by the authorities if there was a complaint made against it.
"If someone lodged a complaint, it could be easily taken down," he said.
Universiti Sains Malaysia's National Advanced IPv6 Centre director Associate Professor Selvakumar Manickam, said if the claims about the data breach is true, the information could be used to the advantage of scammers and other cyber criminals.
"We can expect a new wave of such activities in the near future since those who understand and perform the right search on Google will be able to find this website," he said.
Criminologist Kamal Affandi Hashim said with enough knowledge, anyone can explore and exploit such information to their advantage.
"It is similar to our details which are accessible by third parties such as credit companies or (debt) collection agencies.
"I'm not worried at all about the integrity of government data, which are kept very secure with a system of check and balance.
"However, the same could not be said about personal information being mirrored to third parties," he said.
Selvakumar said if the claims were genuine, then it warrants the government's investment in cybersecurity infrastructure, enforce stringent security policies in government e-service, perform penetration and other security tests from time to time.
"The impact on national security can be devastating if not addressed now.
"The government should also consider forming a national task force comprising cyber security experts from the universities, agencies, and industries to bolster the existing security posture and patch the security 'holes' found," he said.
Fong, meanwhile, said the government should be transparent with the public in its investigation into any cases involving data leaks or breaches.
Knowing the root cause of such cases, he said, would enable the public to protect themselves.
"After having suffered so many rounds of data leaks, the government has never even announced what kind of leaks, what have they done in terms of forensic investigation, the people involved and what are the root causes.
"We have no transparency over these kinds of issues," he said.