COMMSEC: SayaKenaHack: Breach Notification in Malaysia


In 2017, personal data of millions of Malaysians was found breached online. Local authorities were silent, and so too the ISPs who owned the data. I launched a site,, that allowed users to check if they were victims. The site made front page news, only to be blocked by the government on noon the same day.

The session starts with the Chronology of the breach, beginning with the report from about a user trying to sell personal data on their forums. It follows on with the authorities demanding Lowyat remove the report, and the ensuing to-and-fro. It follows with how later confirmed it had seen the 46.2 Million records in question, and that nearly all Malaysians were victims.

I’ll cover how I obtained the data, and how the underground community actually ensures data from breaches never gets lost. Also how this community of ‘volunteers’ keep breaches like Pokemon cards to be traded, and reputation and inventory are the currency of the data breach world.

Finally, I’ll touch briefly on what I think breach notification should look like in Malaysia. How our current Identity cards are both Identifiers and Authenticators, and how this makes no sense (like having the same username and password). How our breach notification laws lag behind most countries, including ones we would consider less developed, and how the authorities have made it politically impossible to notify victims of breach.

Location: BALLROOM 2 Date: August 30, 2018 Time: 4:30 pm - 5:00 pm Keith Rozario