Cyber Incident Victim: DESORDEN
Date:
Sep 2022
Location:
Malaysia
Summary
A Malaysian telecommunications provider with over 1.2 million subscribers and affiliated financial and insurance services was compromised by the DESORDEN group, which exfiltrated databases and source code containing sensitive customer information including national identification numbers, addresses, phone numbers, and emails. The attackers escalated to targeting the company’s financial and insurance partnership programs after receiving no response to initial demands. Third-party verification confirmed the authenticity of leaked data samples by cross-referencing customer records through the telecom’s systems prior to their takedown. DESORDEN threatened to sell the stolen data publicly unless contacted within a specified timeframe, heightening risks of unauthorized disclosure and potential misuse of highly sensitive personal identifiers.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 2 motives | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
On September 19, 2022, the DESORDEN hacking group publicly claimed responsibility for a cyberattack targeting Malaysian telecommunications provider redONE Network Sdn Bhd, which served over 1.2 million subscribers and offered financial services through its redCARD program (partnered with a bank) and insurance services via its redCARE program (partnered with an insurer). DESORDEN stated the breach compromised redONE’s databases and source code, exfiltrating sensitive customer data including full names, National Registration Identity Card (NRIC) numbers, addresses, phone numbers, and email addresses. After redONE allegedly failed to respond to the group’s demands, DESORDEN escalated the attack around September 21 by targeting the redCARD and redCARE programs specifically. The group posted samples of stolen data from all three systems (redONE, redCARD, and redCARE) on a hacking forum, with each sample containing NRIC fields. DESORDEN issued an ultimatum threatening to sell the stolen data publicly unless redONE contacted them within 48 hours of their final email, with approximately 24 hours remaining before the deadline at the time of reporting.
Independent verification by DataBreaches confirmed the authenticity of the leaked data by cross-referencing NRIC numbers from DESORDEN’s redONE sample against the telecom’s customer verification portal. The verification process involved entering NRIC values into redONE’s “Identification No” field, which returned valid customer account details including Account ID, activation dates, and termination dates for each tested entry. This confirmation demonstrated that DESORDEN possessed legitimate customer records. In response to the breach disclosure, redONE disabled its ID checker tool, though an archived version of the interface remained accessible. The incident exposed sensitive personally identifiable information across redONE’s core telecom operations and its financial and insurance partnerships, creating risks of identity theft and financial fraud for affected customers. DESORDEN’s pattern of leaking partial data samples while threatening to monetize the full dataset remained unresolved at the time of reporting, with no public statement from redONE regarding containment or remediation efforts.