A Malaysian telecommunications company, Telekom Malaysia, reported a data breach incident after learning that malicious actors gained access to its systems on December 28. The incident is said to have affected all of the company’s Unifi Mobile users, including individuals and small and medium-sized enterprises (SMEs).
Reports reveal that the hacker who posted the telco’s data last December 24 in an underground forum claimed it had stolen a large database containing over 2.7 million data entries, selling it for $850.00 or about RM3,750.
Approximately 250,000 customer accounts of Telekom Malaysia were impacted.
The telco’s investigation of the incident showed that 250,284 customer accounts were affected, which contained personally identifiable information (PIIs) such as full names, contact details, and email addresses. Telekom Malaysia assured that aside from these data, no other customer information was compromised.
These affected customers were immediately notified and ensured that incident mitigation was underway. Furthermore, customers of the telco firms have not reported any service disruptions during the security breach.
On the other hand, the hacker who posted and offered the firm’s data on a dark web forum said it is only available for one interested customer and will include “admin access.”
The hacker shared 100 data entry samples as well. These samples contained customers’ full names, contact details, email addresses, payment methods, transaction IDs, and receipt numbers. Thus, the company’s claims that only a limited amount of information from the affected customers was compromised could be wrong.
The telecommunications company has closely monitored the incident and is conducting deeper assessments. In their released statement, Telekom Malaysia advised its customers to be cautious against potential attacks from unknown entities, and take extra precautions including changing passwords and activating multi-factor authentication.
Relevant authorities have also been contacted, including the Malaysian Communications and Multimedia Commission, the National Cyber Coordination and Command Centre, and the Department of Privacy and Data Protection.
