Cyber Incident Victim: Malayan Banking Berhad
Date:
Dec 2022
Location:
Malaysia
Summary
Malaysian authorities investigated an alleged data leak involving a financial institution, a media provider, and a government electoral body, following reports that a website exposed personal details of nearly 13 million individuals, including names, birthdates, addresses, and identity numbers. The Ministry of Communications and Digital collaborated with cybersecurity agencies to verify the legitimacy of the compromised data, with preliminary findings indicating potentially invalid account information and possible links to a prior incident. The Election Commission's case was escalated to the national cybersecurity agency due to jurisdictional limits, while access to the implicated website was restricted. The financial institution denied experiencing a breach but initiated its own probe into the claims.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 3 motives | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On December 25, 2022, a website allegedly leaked personal data purportedly belonging to customers of Maybank and Astro, along with voter information from Malaysia’s Election Commission (EC). The incident came to public attention after Communications and Digital Minister Fahmi Fadzil shared a Facebook post by user “Pendakwah Teknologi,” which claimed nearly 13 million Malaysians were affected—specifically 3.5 million Astro subscribers, 1.8 million Maybank customers, and 7.2 million EC voters. The exposed data reportedly included login IDs, full names, dates of birth, addresses, and national identity card numbers. Malaysia’s Ministry of Communications and Digital (KKD) initiated an investigation through the Personal Data Protection Department (PDPD) and CyberSecurity Malaysia (CSM), seeking formal feedback from Maybank and Astro to verify the legitimacy and ownership of the leaked datasets. Preliminary analysis of the exposed Maybank account numbers indicated they were invalid or non-functional, as transactions could not be processed using them. Authorities noted the possibility that the incident might relate to a historical 2018 breach, though official confirmation from involved organizations was required for further investigation under the Personal Data Protection Act 2010 (Act 709).
Maybank issued a statement confirming it was investigating the claims but clarified it had not detected any data breach within its systems. The Election Commission’s data leak fell outside PDPD’s jurisdiction, prompting KKD to refer the matter to the National Cyber Security Agency (NACSA) for additional scrutiny. The Malaysian Communications and Multimedia Commission (MCMC) received a restriction notice to block public access to the website hosting the leaked data. Minister Fahmi emphasized the importance of robust cybersecurity measures and compliance with data protection standards under Act 709 for all organizations handling personal information. The incident underscored operational challenges in attributing and validating data breaches, particularly when historical incidents or third-party vendors might be involved, while highlighting coordinated responses between regulatory bodies to contain potential fallout and restrict unauthorized data dissemination.