A technology forum in Malaysia is under investigation after publishing details of a major data breach which included the personal information of more than 220,000 organ donors.
Lowyat.net, which previously exposed a leak of 46m citizen records belonging to Malaysian communications firms – reported Tuesday (23 January) that the details appeared to be from a central database linked to state hospitals and national transplant resource centres.
Complete entries of personal information included ID numbers, names, email addresses, home addresses and phone numbers of 220,000 citizens recorded between January 2009 and August 2016.
Taking 'next of kin' records into account, the number of victims could be as many as 440,000, Lowyat reported.
The website claimed that the cache was uploaded to a "popular file-sharing service" in September 2016. It is believed the files are still online.
"Aside from the usual risks associated with data breaches, the presence of relationship data between two individuals also increases the risks of malicious social engineering attacks against the victims," a blog post read, adding that authorities had been notified of the incident.
But officials say they are suspicious that two major leaks have appeared on the same website, with the Personal Data Protection Commission announcing a probe has now been launched.
"We find it suspicious and we will be in contact with the website administrators regarding this case," said Mohamad Fuzi Harun, chief of the Royal Malaysia Police. "The case is being investigated by the Federal Commercial Criminal Investigation Department (CCID)," he added.
According to its website, the CCID probes cybercrime, banking fraud, love scams and more.
"Even when the previous leak happened, we saw it on the [Lowyat] website, and the information came from the same source," the police chief continued. "It is something we find strange."
However, officials acknowledged little progress had been made regarding the theft of 46m records. Harun said the Communications and Multimedia Commission was leading that case.
The leaked records from 2017 eventually ended up being traded on the dark web. At the time, Malaysian authorities pressurised Lowyat to remove its post about the incident. Administrators said they first became aware of the breach after details were posted on the website's forums.
On Tuesday, Lowyat editor Syefri Zulkefli tweeted a link to the story, writing: "Here we go again."