Cyber Incident Victim: National Registration Department

In May 2022, reports emerged of an alleged data leak involving the personal information of 22.5 million Malaysians, attributed to the National Registration Department (NRD). A database approximately 160GB in size, containing records of individuals born between 1940 and 2004, was offered for sale on the dark web for US$10,000. The dataset reportedly included national identity numbers, dates of birth, addresses, gender, religion, and official identification photographs. This incident followed a similar breach in 2021, where data of approximately 4 million Malaysians from the NRD appeared on dark web forums. Malaysian authorities, including the Home Minister, disputed the origin of the leaked data, asserting that NRD security mechanisms indicated the information did not originate from their systems. Investigations into the breach were initiated, though no conclusive findings regarding the source or method of exfiltration were disclosed at the time of reporting.

The incident generated significant public concern regarding cybersecurity practices within Malaysian government agencies, particularly due to recurring data exposures. Potential impacts included risks of identity fraud, with criminal groups potentially exploiting the leaked information for financial crimes such as unauthorized loans or credit applications. No confirmed instances of misuse were reported in immediate connection with the breach. The government maintained that the situation was under control but provided no specific remediation measures or technical details about containment efforts. Public statements focused on downplaying the severity while acknowledging ongoing probes, leaving many citizens apprehensive about data protection standards. The lack of transparency about the breach's origin and the absence of concrete corrective actions underscored broader anxieties about institutional cyber resilience in handling sensitive citizen data.