The National Registration Department (JPN) of Malaysia has issued a firm denial regarding allegations of a data leak concerning MyKad, the national ID card system. In a statement released on Facebook, JPN reassured the public that its investigation has turned up no evidence of any data breach or unusual activities within its systems.
The department emphasized that similar incidents have not transpired in the past, and it reassured citizens about the safety and integrity of Malaysian data under its stewardship. JPN coordinated with the National Cyber Security Agency (NACSA) and the Royal Malaysian Police (PDRM) to aid in their investigations, showcasing their commitment to transparency and public safety.
Further bolstering their stance, the JPN’s post included affirmations from high-ranking officials, including the Minister of Home Affairs, the NACSA Director General, and the Deputy Director of PDRM’s Commercial Crime Investigation Department. These officials collectively reiterated that there has been no breach of the JPN database, aiming to quell any rising concerns among the citizenry.
These statements come in the wake of claims made by dark web threat intelligence firm StealthMole, which stated on December 3, 2024, that hackers were attempting to sell the MyKad data of approximately 17 million Malaysians online. However, reports indicate that the materials purportedly being sold consist primarily of images of ID cards rather than structured database entries. This suggests that the information may have been acquired through electronic Know Your Customer (eKYC) systems employed by various shopping, service platforms, banks, and other institutions, rather than directly from JPN’s database.
NACSA has also dismissed the notion of a recent data breach linked to the alleged MyKad leak. Director-General Ir Dr. Megat Zuhairy Megat Tajuddin stated that an analysis conducted by the National Cyber Coordination and Command Centre (NC4) revealed that the samples in question originated from breaches dating back to 2015 and 2017. These past incidents have allowed the data to circulate online without any credible connection to recent security failures.
In the context of cybersecurity, while no immediate threat has been substantiated regarding JPN’s systems, the allegations draw attention to critical tactics from the MITRE ATT&CK framework; namely, initial access via compromised eKYC systems, and persistence through the dissemination of previously stolen data. As businesses increasingly rely on such digital verification methods, it highlights the need for robust cybersecurity measures to protect sensitive information from potential adversaries.
The situation underscores the importance of vigilance and rigorous data protection practices as organizations navigate a landscape with ever-evolving cyber threats. As authorities continue their investigations, the emphasis on maintaining stringent security protocols and swift communication will be key in preserving public trust.
For further developments on this situation, one can follow official updates through platforms like JPN’s Facebook page, where real-time information is being shared. This incident serves as a vital reminder of the interconnected nature of digital identity verification systems and the imperative for heightened security across all sectors involved.
