Investigators from the police and the Malaysian Communications and Multimedia Commission (MCMC) have traced what is believed to be one of the country's biggest data breaches in history back to an IP address in Oman.

Inspector-general of police (IGP) Mohamad Fuzi Harun told the New Straits Times (NST) that investigations into the data breach, in which over 46 million entries of data from various telecommunications companies were put up for sale, were ongoing and that no arrests have been made thus far.

Fuzi also refused to rule out telcos themselves as suspects in the case, saying it was too early to draw any conclusions, NST reported.

The IGP told Bernama on Thursday that the leak likely occurred during a data transfer process at a telco, adding investigators have a lead into the means by which the data could have been released.

The leaked data is said to include customers’ names, billing addresses, mobile phone numbers, SIM card numbers, handset models and MyKad numbers.

The leak was first reported on Lowyat.net in an article “Personal data of millions of Malaysians up for sale, sources of breach still unknown,” in which the authors claimed they recovered a tip-off that someone was selling huge databases of personal information belonging to Malaysians.

The portal had said it was initially sceptical about the tip-off, but later discovered that it could be "one of the biggest data breaches ever in Malaysian history".

Just two hours after the article was published, MCMC ordered the site to take the article down.

Communications and Multimedia Minister Salleh Said Keruak later clarified in Parliament that the MCMC request was largely due to “miscommunication,” and that the commission had since cleared the air with Lowyat.net.