KUALA LUMPUR — The personal details of around 220,000 Malaysian organ donors and their next-of-kin have been leaked online since September 2016, popular Internet forum and technology magazine website Lowyat.net reported on Tuesday (Jan 23).

This comes months after an earlier report by the same website claiming that the personal data of 46.2 million of Malaysians had been stolen and sold online, in what is possibly the country’s biggest personal data breach.

The site said the latest leaked files are updated up to August 31, 2016, and contain details which includes the donor's name, identification card number, race, nationality, address and phone numbers.

The data also contains details of each organ donor's one nominated next of kin, taking the total number of data leak victims to 440,000.

Lowyat.net pointed out that the leaked data also contains sign up data from government hospitals as well as the National Transplant Resource Centers across the country.

The online forum explained that this meant that said information was originally retrieved from a central database, and that the files were first uploaded online to a popular file sharing service on September 29, 2014.

“The data dump is divided into files, by year of sign up — from 1997 till 2016, however, for reasons we are not able to ascertain, all data from 1997 to 2008 is filled with auto generated dummy data, rendering them useless.

“The data dump from January 2009 to August 2016 however contains complete personal details of around 220,000 individuals who have signed up as organ donors, as well as personal details of their next of kin,” the report added.

What is alarming is that the file dump also includes an annual breakdown of demographic data of all organ pledgers by sex, race, origin, types of organs as well as age groups.

Mr Vijandren Ramadass, the founder of Lowyat.net, told Reuters that the portal discovered the leak being shared on a popular file sharing site for free.

"The files are still online now. We did submit a direct request to the host on Sunday to remove the files but we didn't get any response," he said.

The country's internet regulator, the Malaysian Communications and Multimedia Commission, said it was assisting the police in their investigations into the reported leak.

The Personal Data Protection Commission (PDP), which is under the Communications and Multimedia Ministry, added that it has also launched an investigation into the personal data breach. 

“The PDP takes note and views the seriousness of the personal data breach incident of the Malaysian organ donors that was alerted by lowyat.net yesterday," it said in a statement on Wednesday (Jan 24).

“That issue is being monitored and investigated under the Personal Data Protection Act 2010 (Act 709),”

However, the police expressed doubt on the source behind the latest claim.

Inspector-General of Police Mohamad Fuzi Harun said the police deduced that the source is likely to be the same as the one that supplied Lowyat.net with information on the previous leak.

"Even when the previous leak happened, we saw it on the website, and the information came from the same source. We are a little suspicious about it, over how it came from the same source. It is something we find strange," he told reporters.

Malaysian Digital Economy Consumer Association secretary-general Muhammad Sha’ani Abdullah said government agencies involved in the collection of personal data should put in place security measures to prevent any further data breaches.

This latest incident is the second known data breach in months.

In October last year, Lowyat.net reported that personal information of millions of Malaysians were up for sale on its online forums. It said the leak included postpaid and prepaid numbers, customer addresses as well as SIM card details from all major telco operators, namely DiGi, Celcom, Maxis, Tunetalk, Redtone and Altel.

It also said the databases of Malaysian Medical Council (MMC), the Malaysian Medical Association (MMA) and the Malaysian Dental Association (MDA) were compromised.

These medical databases included personal information, identity card numbers, mobile/work/home phone numbers, as well as work and residential addresses.

Following the report, the Malaysian police said it had narrowed down possible suspects behind the leak. AGENCIES