Jobstreet confirms breach of customer data

KUALA LUMPUR, 2 Nov 2017: 

Online employment site jobstreet.com has sent emails to its customers saying some personal information of accounts created before 2012 has been exposed.

The company confirmed it sent the emails to customers but gave no further details.

Malaysia is investigating an alleged attempt to sell the data of more than 46 million mobile phone subscribers online, in what appears to be one of the largest leaks of customer data in Asia.

The massive data breach, believed to affect almost the entire population of Malaysia, was first reported last month by Lowyat.net, a local technology news website. The website said it had received a tip-off that someone was trying to sell huge databases of personal information on its forums.

The country’s internet regulator, the Malaysian Communications and Multimedia Commission (MCMC), was looking into the matter with the police, Communications and Multimedia Minister Datuk Seri Dr Salleh Said Keruak said yesterday.

“We have identified several potential sources of the leak and we should be able to complete the probe soon.”

The leaked data included lists of mobile phone numbers, identification card numbers, home addresses, and SIM card data of 46.2 million customers from at least 12 Malaysian mobile phone and mobile virtual network operators (MVNO).

Cybersecurity researchers said the leaked data was extensive enough to allow criminals to create fraudulent identities to make online purchases.

Justin Lie, CEO of Cashshield, a Singapore-based anti-fraud company, compared the Malaysian case in its “degree of complexity” to the cyber attack on US credit-scoring agency Equifax Inc, which said in September that cyber criminals had stolen sensitive information from 145.5 million people.

“Now these hackers have more quality information such as birth dates, IC numbers, mobile numbers, email address and passwords,” Lie said about the Malaysian attack.

Customers of Malaysia’s biggest mobile service providers, including Maxis, Axiata Group’s Celcom and DiGi , among others, were affected.

MCMC’s chief operating officer Mazlan Ismail said on Tuesday the regulator had met with local telecommunications companies to seek their cooperation in the probe.

Celcom, Maxis and Digi said in separate statements they were cooperating with authorities on the investigation.

According to a Singapore-based cybersecurity researcher, the leaked database was initially being sold on several underground forums for one bitcoin, which was trading yesterday at around US$6,500. At least one other user was posting a link for anyone to download it for free.

The researcher, who declined to be named, said he had seen at least 10 people on an online forum in the “dark web” download the data before it was taken offline. “Discussion in the dark web shows a huge interest.”

Time stamps indicate the leaked data was last updated between May and July 2014, Lowyat.net said.

“We are urging the telco and MVNO companies mentioned above to alert, and start immediately replacing the SIM cards, of all affected customers, especially those who have not updated their SIM cards since 2014,” Lowyat.net said in a post.

Malaysia’s population is around 32 million, but many have several mobile numbers. The lists are also believed to include inactive numbers and temporary ones bought by visiting foreigners.

Bryce Boland, FireEye’s chief technology officer in Asia Pacific, said if the data was widely available as suspected, it could be used for identity fraud and scams. “This stolen data may ultimately impact almost every Malaysian.”

The data also includes private information of more than 80,000 individuals leaked from the records of the Malaysian Medical Council, the Malaysian Medical Association, and the Malaysian Dental Association, Lowyat.net said.

– Reuters

Leave a Reply