1.0 Introduction

Personal Identifiable Information (PII) database dump being sold in an online forum by cybercriminals using bitcoin currency with sample information posted as proof that the data collected claim to be legit. MyCERT had been observing an increase of data breach incidents that exposed sensitive or confidential data. The data exposed poses threat issues concerning the individual that owns the data if the information is valid. 

PII consists of name, permanent address, identification numbers, household income, email addresses, or phone numbers, as well as intellectual property could potentially be misused and individuals could be targeted for scams and other threats.

2.0 Impact

The impact (PII) of an individual data breach depends on the nature and extent of the breach and the type of information that has been compromised. Larger breaches expose a wider group of people and could require considerable notification and remediation activities.

Serious impacts of PII data breach of an individual could include:

  • Risk to individuals’ safety

The individual whereabouts, addresses could be a target of physical crime and harassment. A phone number could be spammed and scammed.

  • Scam Target

The information obtains from an individual could be misused by scammers and becomes a victim of a scam such as the Macau scam. It is a spoofing technique via a telephone call that appears to be from trusted officials either from the government or an enforcement agency. Their modus operandi is to create a panic situation that requires payments from the individuals by using the data they obtained from the leak as evidence that they are telling the truth.

More scam using PII data:

MA-809.062021: MyCERT Alert - Bogus Scam Email is on the Rise

MA-797.122020: MyCERT Alert - MyCERT Alert – Misuse of Personal Data by Unlicensed Online Loan Provider

MA-741.082019: MyCERT Alert - Alert on Scam Website Impersonating as HRDF

  • Individual Impersonation or Identity Theft

PII data that can be linked between various leaked sources poses a real threat. Even if cybercriminal only gets their hands on specific pieces of data from a breach, they can often match it with data collected from other lists or sources.

From the data collected, fraudulent activities include impersonation of registration that uses PII information. For example, a Malaysia identification number (NRIC) is required to fill in while registering for subscribing services such as mobile network, satellite TV and IPTV provider, bank loans, and other various government-related systems. The adversary may use this data to falsely register and impersonate the individual without knowing and could cause duplicate of information or financial losses to the real owner.

3.0 Recommendations

Protection of sensitive data is required not only for legal or ethical reasons but for issues related to personal privacy. Hence it is important for individuals to be alert and vigilant when facing such threats as mentioned above. Individual needs to prepare measures to manage data breaches that involved them indirectly. 

MyCERT suggested guidelines that covers the response action to be taken after the incident had taken place as below:

  1. Do not disclose any private information including bank account number, ATM card, or credit card number to an unidentified individual.
  2. Do not do any financial transactions before verifying with the alleged parties.
  3. Always check with the organization involved by using their official numbers and do not call back any number that was given during the call.
  4. Do not panic or blindly follow the instructions given by the scammers and recommend reporting to the authority or the financial institution involved.
  5. File a report to the Jabatan Siasatan Jenayah Komersil, JSJK, PDRM

    Jabatan Siasatan Jenayah Komersial Bukit Aman
    Polis Diraja Malaysia
    Aras 33, Menara 238
    Jalan Tun Razak
    50400 Kuala Lumpur

    Phone: 03-26101222
    Fax: 03-26101000
    Operation: 03-26101599
    Email: rmp[at]rmp[dot]gov[dot]my

  6. File a report to Jabatan Data Perlindungan Peribadi, JPDP

Jabatan Data Perlindungan Peribadi
Aras 6, Kompleks Kementerian Komunikasi dan Multimedia
Lot 4G9, Persiaran Perdana, Presint 4 Pusat Pentadbiran Kerajaan Persekutuan
62100 Putrajaya, Malaysia. 

Phone : 03-8000 8000
Fax : 03-8911 7959
Email : aduan[at]pdp[dot]gov[dot]my

For further enquiries, please contact MyCERT through the following channels:

E-mail: cyber999[at]cybersecurity.my
Phone: 1-300-88-2999 (monitored during business hours)
Mobile: +60 19 2665850 (24x7 call incident reporting)
Business Hours: Mon - Fri 09:00 -18:00 MYT

Web: https://www.mycert.org.my
Twitter: https://twitter.com/mycert
Facebook: https://www.facebook.com/mycert.org.my

4.0    References

  1. https://cyberconsol.cybersecurity.my/articles/macau-scam
  2. https://www.astroawani.com/berita-malaysia/macau-scam-all-you-need-know-263044
  3. https://blog.infoarmor.com/employers/what-is-pii-and-how-does-it-impact-privacy#ch6