Special Report

Massive data leak trail leads to MCMC's phone blocking system

Published on  |  Modified on

SPECIAL REPORT | Information has surfaced that suggests personal data stolen from telecommunications companies (telcos) may have been destined for the Malaysian Communication and Multimedia Commission's (MCMC) system intended to deter mobile phone theft.

The leaked telco data was part of the larger trove of stolen data, which was first highlighted by Lowyat.net on Oct 19, after an attempt by an unknown user to sell them on the technology portal's forum.

Malaysiakini in this KiniGuide report explains the nature of the stolen data, which included a jobs portal, a foreign exchange trading platform and medical associations, which may have been sourced from separate cybersecurity breaches.

However, an analysis by Malaysiakini has uncovered details of how the breach specific to the telco data may have occurred.

In the analysis, Malaysiakini found several file names of the telco data containing either the word PCBS, MCMC or SKMM. File names from at least six telcos had used these references.

MCMC and SKMM are abbreviations for the Malaysian Communications and Multimedia Commission, while PCBS is short for the Public Cellular Blocking Service.

The PCBS, launched in February 2014, was an initiative by the MCMC to provide a service that allowed stolen phones to be blocked from making calls, texting or accessing the Internet - even if the sim card is changed.

For this purpose, the Malaysian Central Equipment Identity Register (MCEIR) was created, which is a database of International Mobile Equipment Identity (IMEI) number, a unique serial that can identify every mobile phone in the country.

The leaked telco files, on top of personal information, also contained IMEI and were last modified between May and July 2014.

A telco executive, speaking on condition of anonymity, confirmed to Malaysiakini that the telcos had compiled a database of their users and handed them over for the PCBS.

PCBS has been outsourced

In 2014, the telcos also sent notices to their customers that their personal data will be released to the MCEIR. These notices are still available on the websites of most major telcos.

However, the PCBS was not managed by MCMC itself but outsourced to private firm Nuemera Sdn Bhd.

The telco source did not disclose whether the personal data were surrendered to the MCMC or directly to the manager of the system, which is Nuemera.

When contacted, Bukit Aman’s CCID principal assistant director (cybercrime and multimedia investigations), Ahmad Noordin Ismail, confirmed to Malaysiakini that police were investigating Nuemera over the data leak. However, he did not disclose the nature of the investigation.

Previously, inspector-general of police Mohamad Fuzi Harun (photo) said that it was possible that the breach "occurred after several staff (members) from a company tasked with transferring the data took advantage of the situation."

Both the MCMC and Nuemera declined to comment on questions regarding the stolen data and the PCBS.

"The issue of the telco data breach is currently being investigated jointly by the MCMC and the police. As such, we are unable to provide you with any comment at the moment," a Nuemera spokesperson told Malaysiakini in an email.

Likewise, MCMC chief operating officer Mazlan Ismail told Malaysiakini that he could not answer if the leak and the PCBS were connected, saying it was "part and parcel of investigations by the (police) CCID (Commercial Crimes Investigation Department)".

News about Nuemera being engaged by the MCMC to develop a system to block stolen mobile phones go as far back as 2007.

Its profile with the Companies Commission, retrieved on Nov 23 this year, states that it is a dormant company.

However, Nuemera said that information about the company's status was being updated and that it was an "actively trading company".

The PCBS, to the public, is better known by its portal name blockmyphone.my.

Users who have had their mobile phones stolen can report to their telco, which will then inform the authorities to block the phones through the PCBS.

The PCBS is free to use for mobile phone users.

But, according to an MCMC circular issued in April 2013, telcos are to pay an annual fee of RM1.50 per active user to facilitate the operations of the PCBS, which runs 24 hours a day.

This means that up until 2016, the MCMC collected RM1.5 million annually for every one million active phone users.

The MCMC lowered the fee to 50 sen per active user in April this year.

No personal data is published in this report. Section 45 of the Personal Data Protection Act 2010 provides for an exemption for data processed for journalistic and public interest purposes.