Cyber Incident Victim: Ifmal

On or around February 6, 2021, an online seller listed a database purportedly containing personal details of 200,000 Malaysians for sale on an underground marketplace. The seller claimed the data originated from Ifmal, a local e-commerce platform, and included sensitive information such as full names, physical addresses, phone numbers, and national identification card (IC) numbers. This listing appeared on the same platform that had recently featured the alleged E-Pay Malaysia database leak, suggesting a pattern of similar malicious activity. Ifmal swiftly denied any involvement or ownership of the leaked database through an official statement on its Facebook page. The company asserted its customer database was significantly smaller than 200,000 records and emphasized it had never collected IC numbers during user registration or transactions.

Independent verification by Lowyat.NET confirmed inconsistencies between the leaked dataset's characteristics and Ifmal's actual data collection practices. Examination of Ifmal's registration process revealed the platform only requested standard e-commerce details like names, addresses, and phone numbers, with no IC number field present. This discrepancy raised critical questions about the database's true origin and authenticity, though the seller maintained their attribution to Ifmal. Despite unresolved questions regarding the data's provenance, the incident highlighted potential risks to Malaysian citizens' privacy, prompting calls for authorities to investigate the listing's legitimacy. The lack of corroborating evidence linking the data to Ifmal left the breach's scope, attack vector, and responsible parties unconfirmed, with no public disclosure of containment measures or forensic findings by the implicated platform.