PARLIAMENT | It is too premature to point fingers at any party for the massive data breach of Malaysian mobile subscriptions, Deputy Communications and Multimedia Minister Jailani Johari told the Dewan Rakyat today.
"The investigation is still ongoing. It is a bit premature for us to identify the perpetrator behind the incident," he said when winding up the Budget 2018 debate.
"I believed that the police will call witnesses they have identified to make statements. On our part, the Malaysian Communications and Multimedia Commissions (MCMC) has contacted all the telecommunications companies to collect information of the incident," he said.
He was responding to Wong Chen (PKR-Kelana Jaya) who linked the data leak to the Public Cellular Blocking Service (PCBS), which is managed by private firm Nuemera Sdn Bhd.
"We know that the data leak of 48 million users was from Nuemera because it adopted proprietary system that collects data from all the telecommunication companies," said Wong.
Malaysiakini had reported that the breach could be traced to a phone security service under the purview of MCMC.
Information which surfaced suggested that the personal data stolen might have been destined for the MCMC system intended to deter mobile phone theft.
The leaked telco data was part of the larger trove of stolen data, which was first highlighted by Lowyat.net on Oct 19, after an attempt by an unknown user to sell them on the technology portal's forum.
In its analysis, Malaysiakini found several file names of the telco data containing either the word PCBS, MCMC or SKMM. File names from at least six telcos had used these references.
Both MCMC and SKMM are abbreviations for the Malaysian Communications and Multimedia Commission.
The PCBS, launched in February 2014, was an initiative by the MCMC to provide a service that allowed stolen phones to be blocked from making calls, texting or accessing the internet, even if the sim card is changed.
A telco executive, speaking on condition of anonymity, confirmed to Malaysiakini that the telcos had compiled a database of their users and handed them over to the PCBS.
In 2014, the telcos also sent notices to their customers that their personal data will be released to the Malaysian Central Equipment Identity Register (MCEIR). These notices are still available on the websites of most major telcos.
However, the PCBS was not managed by MCMC itself, but outsourced to private firm Nuemera Sdn Bhd.
The telco source did not disclose whether the personal data were surrendered to the MCMC or directly to the manager of the system, which is Nuemera.
When contacted, Bukit Aman’s CCID (cybercrime and multimedia investigations) principal assistant director Ahmad Noordin Ismail confirmed to Malaysiakini that police were investigating Nuemera over the data leak. However, he did not disclose the nature of the investigation.
Previously, inspector-general of police Mohamad Fuzi Harun said that it was possible that the breach "occurred after several staff (members) from a company tasked with transferring the data took advantage of the situation."
Both the MCMC and Nuemera declined to comment on questions regarding the stolen data and the PCBS.
When met at Parliament earlier today, Communications and Multimedia Minister Salleh Said Keruak declined to comment on the matter.
“I don’t want to comment. Ask the MCMC,” he was quoted as saying by The Star.
RELATED REPORTS
Massive data leak trail leads to MCMC's phone blocking system