Originally highlighted by Amanz, it was first noted that the database is being offered through the dark web. However, our search showed that the listing took place at a well-known database marketplace forum instead which is much easier to access.
In case this sounds rather familiar to you, this is because something similar happened before in September 2021 albeit at a different website called Raidforums. However, this particular marketplace has since been taken down through a global operation led by the United States earlier this year. Nevertheless, the September 2021’s leak was mentioned by the seller of the new listing which was published in the marketplace late last month. Not only that, the seller also claimed that myIDENTITY API was the source of their new offering, similar to last year’s listing. As noted in our previous report, myIDENTITY is a data-sharing platform designed for the public sector that enabled government agencies to obtain personal details from a centralised repository. When commenting on last year’s incident, Minister of Home Affairs, Hamzah Zainudin has said that 104 agencies have received permission to utilise the platform. Meanwhile, the seller also claimed that the 160GB dataset has 22.5 million rows in it with 20 attributes such as name, IC number, address, date of birth, gender, race, religion, mobile number, and Base54-based photo. To prove their point, they posted information belonging to Hamzah Zainudin in their listing which is quite daring, to say the least. For now, it is unclear whether JPN and other related government agencies are aware of this listing. Regardless of that, we believe it is certainly high time for the authorities to put their foot down and conduct a thorough security audit on the myIDENTITY platform as well as the agencies that have access to it.