MCMC and Nuemera: Sued over Malaysia Data Breach that put 46.2 million mobile number subscribers at risk.

Now you know why scammers are able to call your number, ask for you by name, and tell you what your IC number is…

A man pretending to be a sergeant with the police called me recently and asked me to turn up at the Kuching Police Station to be interviewed about an accident involving my car. He couldn’t understand that Ipoh is far from Kuching. 

Another called me about a credit card I am supposed to have with CIMB. 

It was reported that the police investigation the case have traced the breach to  Nuemera who handles the Public Cellular Blocking Services (PCBS).

PCBS was launched by MCMC in 2014 to block lost or stolen mobile phones using its unique International Mobile Equipment Identity (IMEI) number.


25 May 2018

Wrongdoings of MCMC must be investigated, say lawyers

KUALA LUMPUR (May 25): Wrongdoings on the part of the Malaysian Communications and Multimedia Commission (MCMC) must be investigated to ensure the commission has transparency and accountability to the Malaysian public, said Lawyers for Liberty executive director Eric Paulsen.

In a statement, Paulsen urged newly-appointed Communications and Multimedia Minister Gobind Singh Deo today to investigate the October 2017 personal data breach expose of over 46 million mobile phone subscribers (in addition to other personal medical and employment records from and various medical associations) that were compromised and sold.

He said the now-infamous largest data breach in Malaysian history has been traced back to MCMC’s outsourcing of a phone-blocking system to the little-known company Neumera Sdn Bhd, and until today, MCMC has not come clean on the scandal.

6 March 2018

2m2 minutes ago

MCMC and security firm ordered to file defence on data leak

KUALA LUMPUR: Malaysian Communications and Multimedia Commission (MCMC) and Nuemera, a data security company, have been asked to file defence over a data leak case involving 46.2 million telco subscribers.

The Session Courts today instructed MCMC and Nuemera to file defence against the civil suit brought by PKR communications director Fahmi Fadzil.

Lawyer Louis Liew who represented Fahmi told reporters that Judge Harmi Thamri Mohamed had set March 22 for case management and asked the defendants to file their defence.

The plaintiff found out about the data leak and that his details were part of it on October 2017 after a few websites and news portals revealed the leak.

7 February 2018


MCMC and Nuemera sued over 2014 data breach

By Danial Dzulkifly

KUALA LUMPUR, Feb 7 ― PKR communications director Fahmi Fadzil filed a civil suit against the Malaysian Communications and Multimedia Commission (MCMC) and Nuemera (M) Sdn Bhd yesterday for alleged failure to protect 46.2 million personal information.

The suit was triggered by a massive date breach that is believed to have occurred in 2014.

“In this digital era, our personal infomation has become the basis of our day to day transaction. The public needs to know that they can trust and feel confident about the institutions and parties who are entrusted of such duties, can stay true to their responsibilities.

“The massive data breach questions the fidelity and integrity of the safety mechanism in place to protect our personal data and those who are responsible for it,” he said.

Fahmi said it is incomprehensible that such a breach of 46.2 million personal data, almost 1.5 times of the Malaysian population, was leaked online and news of the incident was only made public last year.

“To date there has yet to be any arrest or parties prosecuted on the matter. In a mature democracy, such a scandal would have led to the people responsible resigning or contract of the entrusted company terminated. However, it seems to be business as usual.

“This issue is a great matter of public interest. Private data such as our identification card numbers, home addresses and phone numbers at the time of the breach were leaked. This puts us all at risk,” he said.

“I believe the public wish to know how the theft occurred and what are the measure taken by the authorities to contain the breach. We hope through the suit, such questions can be answered as we seek justice for all Malaysians,” Fahmi added.


ZZZleak.JPG previously said the breach occurred between May and July 2014.

The breaches affected, Malaysian Medical Association, Malaysian Medical Council, Academy of Medicine Malaysia, Malaysian Dental Association, National Specialist Register of Malaysia and telecommunication companies, such as Maxis, Celcom and DiGi.

2 November 2017

Data leaks came from many sources, says Lowyat founder

Low Han Shaun

THERE is more than one way that the leak of 46.2 million mobile phone subscribers in Malaysia could have had happened, founder Vijandren Ramadass said, adding that the site’s own investigations showed that the data had been passed around among different users.

By the time the online forum stumbled on the information on October 19, it was free and available as a direct download link on several sites.

According the Vijandren, the files were in different formats and showed file degradation from using various compression software.

This means that the data have been passed between different users, growing in size as more and more information was collected.

“The data are in different formats and compiled in multiple zip files in different formats.

“The reason we know the files are not new is because when you zip (compress) a file, data gets corrupted a bit, so the larger the compression, the more corrupted a file can get.

“And a lot of the files that we got were corrupted.”

This is why it is hard to determine where the breach came from, he said.

Additionally, people online have been sharing the information for years, which makes it even harder to determine when it all started. previously said the breach occurred between May and July 2014.

31 October 2017

The Star‏Verified account @staronline

M’sia sees biggest mobile data breach

PETALING JAYA: The personal details of some 46.2 million mobile number subscribers in Malaysia are at stake in what is believed to be one of the largest data breaches ever seen in the country.

From home addresses and MyKad numbers to SIM card information, the private details of almost the entire population may have fallen into the wrong hands.

Malaysia’s population is only around 32 million, but many have several mobile numbers. The list is also believed to include inactive numbers and temporary ones bought by visiting foreigners.

With this leak, Malaysians may be vulnerable to social engineering attacks and in a worst-case scenario, phones may be cloned.

It is also said that 81,309 records from the Malaysian Medical Council, Malaysian Medical Association (MMA) and Malaysian Dental Association were also leaked.

The leak of the mobile data was reported earlier this month on online forum and news site, which reported that it was thought to originate from a massive data breach in 2014.

Yesterday, the site “confirmed” that 46.2 million mobile numbers were leaked online. founder Vijandren Ramadass told The Star that all information it received on the matter was handed over to the Malaysian Communications and Multimedia Commission (MCMC).

Asked what sort of action would be needed, he said: “Telcos need to admit that this breach actually happened and should inform all their customers what should be done.”

It is believed that the MCMC and police are collaborating on the investigation.

Read more at said it had no choice but to post the article after its alerts to the ministry to act on the matter went unheeded.

Salleh said this arose from a “misunderstanding”, which is now settled.
The article that was removed on MCMC’s orders on October 19 said the personal data of millions of Malaysians were leaked from a recruitment portal, medical associations and telecommunication companies.

The data, including names, billing addresses, mobile numbers and MyKad numbers, were allegedly stolen between 2012 and 2015.

26 October 2017

Internet regulator, cops investigating data breach, says minister

Yasmin Ramlan

MALAYSIA’S internet regulator said it ordered the removal of an article on an alleged massive breach of  personal data on online forum because of a miscommunication and is now investigating the violation of data privacy.

Communications and Multimedia Minister Salleh Said Keruak said police and the Malaysian Communications and Multimedia Commission (MCMC) are trying to identify the third parties who supplied and attempted to sell the information online.

“The matter is under investigation. What is important is not just trying to identify the source of the information but the individual involved,” Salleh said during the Dewan Rakyat’s question-and-answer session today.

He was answering a supplementary question from M. Kulasegaran (Ipoh Barat-DAP) on MCMC’s order to to remove an article titled Personal data of millions of Malaysians up for sale, sources of breach still unknown. said it had no choice but to post the article after its alerts to the ministry to act on the matter went unheeded.

Salleh said this arose from a “misunderstanding”, which is now settled.


20 October 2017



Alleged data breach: Don’t shoot the messenger, MCMC told

PETALING JAYA: The Lawyers for Liberty (LFL) want the Malaysian Communications and Multimedia Commission (MCMC) to explain its order for to remove its report on an alleged breach of personal data involving millions of people.

Calling such behaviour undemocratic, LFL added that it was a grave abuse of power and against the “no-Internet-censorship” policy protected in both the Communications and Multimedia Act 1998 and MSC Malaysia’s Bill of Guarantees.

“Instead of shooting the messenger, MCMC should be more alarmed at the contents of the report which should be MCMC’s primary concern, ie. the personal data security of the communications and multimedia industries and the prevention of online fraud.

“If the report was untrue or inaccurate, then the burden is on to rectify or remove the report altogether if it cannot be salvaged.

“However, if the report can be substantiated, then it would be wholly irresponsible and shocking for MCMC to order for its removal as this would clearly amount to censorship of internet content and a desperate attempt to stem the flow of critical news and information,” LFL executive director Eric Paulsen said in a statement today.
Paulsen said MCMC should remember that its “real work” was not to censor news that it did not like or target those who posted critical or “offensive” remarks against the authorities.

“It would be more prudent for MCMC to come to terms with the reality of the Internet and social media rather than resorting to harsh enforcement methods that are inconsistent with modern democratic demands,” he added.

He said unless MCMC could justify its action, all orders against to remove the report should be immediately revoked.


MCMC orders Lowyat to take down report on massive data breach


MALAYSIA’S internet regulator today ordered an online forum to remove news on a massive data breach involving millions of users, estimated to have taken place between 2012 and 2015.The Lowyat website said the order from the Malaysian Communications and Multimedia Commission came after it reported that databases of Malaysians’ personal details, obtained from, the Malaysian Medical Association and the Malaysian Housing Loan Applications, among others, were being sold for bitcoins since late yesterday on its forums.It said “the mother lode” was customer data from telecommunications companies, including Celcom, DiGi, Maxis, TuneTalk and Umobile.“While we did brush off the tip-off as just another scammer looking to make a quick buck at first, we decided to dig a little further and discovered that this could be one of the biggest data breaches ever in Malaysian history,” said the website.It said more than 50 million records from telco firms were being sold, including data on customers’ names, addresses and mobile phone numbers, and even the MyKad numbers of some Malaysians.“Based on the data, we estimate that the breach could have happened anywhere from 2012 to 2015.

MCMC orders to remove report on major data breach

(Updated )


Among the data on sale was 50 million entries of data from various telcos.

It said the data included customer names, billing addresses, mobile phone numbers, sim card numbers, handset models and MyKad numbers of customers.

It added the data breach was believed to have occurred between 2012-2015.

Other data on sale were 17 million rows of customer information from a jobs portal.

The data included candidate’s name, login name, hashed password, email address, nationality, address and mobile phone number.

It added this particular set of data was likely to have been obtained between 2012 to 2013.

Apart from these, there were also two sets of 20,000 and 62,000 data of doctors respectively, obtained from medical associations and 720,000 entries of housing loan applications.

The doctors’ data included MyKad numbers, operating address and mobile numbers.

The housing loan application data contained information such as name, MyKad number, contact number, email address, blacklist status, address, job, employer details, salary and spouse’s details.

Malaysiakini has contacted the MCMC for comment and is awaiting a response.

The Malaysian Communications and Multimedia Commission (MCMC) has ordered to remove a report of what the technology portal claimed was one of the country’s biggest data breaches in history.

Around two hours after the report titled “Personal data of millions of Malaysians up for sale, sources of breach still unknown” was uploaded this evening, removed the story.

It was replaced with the message stating: “MCMC has requested the removal of this article. We are still awaiting an official statement from them”.

This entry was posted in Uncategorized and tagged . Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s