The seller claimed that the data was from JPN but acquired through LHDN’s website using myIDENTITY’s API. It was listed on the marketplace for 0.2 BTC which was around RM 35,495 at the time we published the report this morning. According to the Director of PDRM’s Commercial Crime Investigation Department, CP Mohd Kamarudin Md Din, a police report regarding the incident has been lodged in Putrajaya by the Deputy Director of JPN and the case is currently being investigated under Section 4(1) of Computer Crimes Act 1997 [pdf]. CP Kamarudin added that a thorough investigation will be carried out in collaboration with the Malaysian Communications and Multimedia Commission (MCMC), CyberSecurity Malaysia, and National Cyber Security Agency (NACSA). Interesting enough, the police are not ruling out the involvement of insiders in this incident. PDRM reportedly has also made the first move by attempting to block the sale of the database although our quick visit to the marketplace forum showed that the listing is still there in the marketplace forum as of 9:30 PM today. In a separate statement, LHDN has refuted the claim that its website was the source of the database leak and insisted that it is just a user of myIDENTITY but does not own the platform. The board has also revealed that its own internal investigation showed that there was no leak of data and information at its end.
LHDN insists that all of the data and information under its custody is safe and protected by “recognised data security technology”. That being said, it is currently working together with JPN, NACSA, and the National Security Council to go through all the possibilities in regards to the said database. (Source: Bernama, LHDN / Facebook. Images: JPN, Google Maps.)