Cyber Incident Victim: Perkeso
Date:
Dec 2023
Location:
Malaysia
Summary
Perkeso confirmed a cyberattack compromising its systems, with hackers leaking questionable and incomplete personal data including names, identification numbers, salaries, and business details, alongside internal breach discussions. The organization's ICT team restored operations after attackers initially targeted infrastructure paralysis, leading hackers to pivot to character assassination tactics. This incident follows prior breaches, underscoring systemic vulnerabilities despite successful containment of a previous attack months earlier. Broader government data exposures have amplified risks of irreversible personal information misuse for scams and identity fraud, while legal gaps exempt public agencies from data protection accountability under current laws.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 2 motives | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On December 2, 2023, Perkeso (Malaysia’s Social Security Organisation, or Socso) experienced a cyberattack targeting its systems, database, and website. A hacker group publicly claimed responsibility, posting a forum thread alleging system compromise and sharing sample data purportedly stolen from Perkeso. The leaked samples included personal details such as full names, IC numbers, phone numbers, salaries, business names, and blood types. The attackers further escalated the incident by uploading a recording of Perkeso’s internal video meeting discussing the breach to YouTube, though this was later removed. Perkeso confirmed the cyberattack on December 8, activating a crisis management plan immediately upon detection. The organisation’s Information and Communications Technology (ICT) team worked to restore systems, noting that the attackers’ initial objective was to paralyse infrastructure critical to daily operations. After Perkeso regained control of its systems, the hackers shifted tactics to what the organisation described as “character assassination attacks.”
Perkeso asserted that services to contributors, employers, and the public—including interest payments, compensation, and disability pensions—remained unaffected. Analysis of the leaked data by Perkeso revealed inconsistencies: the samples were deemed questionable, incomplete, and invalid, with portions allegedly never recorded in its databases since its establishment in 1971. The organisation acknowledged prior cyber incidents, including a breach in September 2023 that was successfully contained. It framed the latest attack as part of a broader pattern of targeted assaults against national interests and shared forensic details with authorities to prevent similar breaches at other government agencies. The incident occurred amid a series of high-profile data leaks involving Malaysian government entities, including the MySejahtera health app (impacting over three million records), the National Registration Department, and the Election Commission. Legal experts cited in the report highlighted gaps in Malaysia’s Personal Data Protection Act (PDPA), which exempts government agencies from accountability for data security despite risks of misuse such as scams, phishing, and fake registrations.