The personal data of millions of Malaysians aged 23 to 43 kept by the National Registration Department (JPN) appears to have been put up for sale online for about RM35,000, an IT expert has claimed on Twitter.
Adnan Shukor also shared a screenshot showing the seller offering the data of four million people leaked through the Inland Revenue Board (LHDN).
The tax agency is one of 10 government bodies on a shared platform called myIDENTITY where data from JPN is shared.
MalaysiaNow understands that LHDN is currently investigating the claims.
According to the screenshot, a total of 32GB of data in 19 files contain the information of those born between 1979 and 1998, with details such as addresses, mobile numbers and photographs, as well as race, religion and MyKad identification numbers.
The data is being offered for 0.2 bitcoin, which equals to about RM35,000 at the current cryptocurrency exchange rate.
Meanwhile, an article on popular technology forum Lowyat.net said this was not the first time the seller was offering personal data for sale.
It said the same seller had put up a database he claimed was siphoned off from the Election Commission.
The government platform myIDENTITY was launched about a decade ago to ease the sharing of data of Malaysian citizens and permanent residents.
Apart from JPN and LHDN, the platform also makes the data available to the immigration department, Road Transportation Department, Election Commission, Education Service Commission, Social Welfare Department, Labour Department of Peninsular Malaysia, National Higher Education Fund Corporation, as well as the police.
The system has made it more convenient for Malaysians in that data need not be repeatedly entered when dealing with the online forms of government agencies.
Despite the implementation of the Personal Data Protection Act in 2013, several cases of personal data leaks have been reported over the years.
These include the 2017 data breach involving more than 46 million subscribers of major mobile telco services, with details leaked on the dark web complete with phone numbers and home addresses.
In March, meanwhile, details of hundreds of thousands of credit cards issued by banks in Malaysia, Singapore, the Philippines, Vietnam, Indonesia and Thailand were found online in another massive data breach.