Between May and July 2014, 46.2 million phone numbers in Malaysia were obtained through a data breach and leaked online.
But most Malaysians did not know about the breach until technology news portal Lowyat.net reported the news on October 19, when someone tried to sell the data through the website’s forum page.
The leak included postpaid and prepaid mobile phone numbers, customer details, addresses as well as SIM card information from 14 different telecommunication companies. Also included in the leak was the medical information of about 80,000 persons from the databases of three medical associations. It is reportedly the largest case of personal data breach in Malaysian history.
The government regulator Malaysian Communications and Multimedia Commission (MCMC) asked Lowyat.net to take down the article while a probe into the breach is being conducted. The article was removed but restored a few days later. MCMC said it worked with telcos to determine the cause of the data breach and is already preparing to arrest a suspect.
Dissatisfied with the slow action of the government and telcos in providing information to the public, tech blogger Keith Rozario created and uploaded the Sayakenahack microsite on November 12, 2017 to help users verify if their phone number was among those leaked in 2014. Rozario is a Malaysian architect based in Singapore who blogs about technology issues.
Rozario clarified that the data he used in Sayakenahack is already publicly available and that he merely made it easier for ordinary Internet users to verify whether their personal information was affected. He added that the privacy of users is protected because the website does not reveal the complete information of those who submitted their phone numbers.
According to news reports, Sayakenahack was visited by 150,000 people within 36 hours of operation.
But acting upon a formal request from the Data Privacy Protection Department, MCMC blocked Sayakenahack for violating the Private Data Protection Act of 2010.
Rozario advised users on how to access the website through other means, but he agreed to take down the website on November 19.
Like Rozario, Lowyat.net is frustrated with the slow response of authorities:
We are extremely concerned that no remedial action has been taken by the service providers involved to protect those that have been affected by the breach. In this day where everything is stored electronically, data security breaches are not something to be taken lightly.
But it supported the decision of MCMC to block Sayakenahack:
Keith Rozario is the good guy here, who set up the site for a very noble purpose, however, that does not stop unscrupulous individuals from abusing the data for their own needs. There will also always be a big question mark on whether it is right for the data to be manipulated in any way without consent from the actual owners.
For his part, Rozario defended his decision to create Sayakenahack:
I believe that you have a right to know about it, in a timely manner. Authorities can’t sit on the data for weeks without letting you know on any pretense.
To ban Sayakenahack is to say geeks and hackers can access the data — but not the average joe. It’s emphasizing that normal people don’t deserve that knowledge while geeks and hackers do.
This is elitism, and it’s wrong.
Some Twitter users criticized the MCMC for blocking Sayakenahack:
MCMC and other government department should not and must not have power to censor. It is ineffective and it is not helpful to the citizen. It also show the attitude of government not wanting to solve problem but to cover up. https://t.co/lFkyF2Uftl
— sweemeng (@sweemeng) November 16, 2017
This is probably the country’s biggest data leak/tech scandal, and @SKMM_MCMC’s way of dealing with it seems to be just censoring and covering everything up.
What exactly are they trying to hide? https://t.co/QTs1i1wMiP
— Zurairi AR (@zurairi) November 16, 2017
Eric Paulsen of Lawyers for Liberty accused the MCMC of prioritizing the arrest of Internet users who are ‘insulting’ politicians on social media instead of strengthening the country’s data protection capabilities.
What have MCMC done to ensure that the personal data stored on public and commercial websites are secured? Did these websites and MCMC know about the breach earlier but failed to inform the public or their customers? MCMC should also be updating the public from time to time regarding the progress of their investigation instead of keeping a general silence on the matter.
MCMC must get their priorities right. Instead of wasting valuable resources in trying to rein in ‘insulting’ remarks against the Prime Minister and other personalities, MCMC should be focusing on real crimes and issues like fraud and data security.
Rozario’s work was appreciated by The Star newspaper which published an editorial after the blocking of Sayakenahack:
Thanks to him, a few Malaysians can enjoy the peace of mind that comes from knowing their personal information was not leaked.
For this much needed public service – filling in the gaping chasm of inactivity on the part of the telcos concerned – the MCMC decided to block the site
It is a pity that instead of lauding his effort, too many of us decided to shoot the messenger