Everyone In Malaysia Just Had Their Personal Data Stolen. Could Indonesia Be Next?

Malaysian officials are reeling from the largest data breach in the country's history this week with a leak of the personal data of more than 46 million mobile phone customers. That's 46.2 million customers in a country of 31 million people—meaning that the personal data—including government ID numbers, birth dates, passwords, and home addresses—of nearly every single Malaysian citizen is out there on the dark web.

The breach reportedly occurred in 2014, but details are only now surfacing after the the tech portal Lowyat.net broke the story earlier this week. It appears to affect the customers of a dozen Malaysian telcom and mobile internet providers, exposing millions to fraud and identity theft.

"This stolen data may ultimately impact almost every Malaysian," Bryce Boland, FireEye's chief technology officer in Asia Pacific, told Reuters.

It's common in countries across Southeast Asia for consumers to own more than one SIM card. Coverage is spotty, rates are often higher when calling people on other plans, and pre-pay rates are dirt cheap—all factors that left countries like Malaysia and Indonesia with more SIM cards than they have people.

But a lot of these same countries are also remarkable prone to hacks. In Indonesia, where loose enforcement of intellectual property rights left marketplace full of bootleg versions of Windows OS, as many as 63 percent of the computers running cracked operating systems—as well as the majority of the pirated DVDs sold in malls—are infected with malware, according to Microsoft Indonesia.

In the past year, Indonesian hackers have breached the firewalls of national travel sites—stealing enough money to buy a Ducati motorcycle—and digital billboards to post Japanese porn videos outside the mayor's office. They've also launched repeated attacks on the websites of foreign governments, corporations, banks, and even telcom providers.

But, so far, Indonesian consumers have been safe from this kind of telcom hack. The country doesn't require residents to register their SIM cards before use—a fact that has left much of the country's cellular numbers absent of any personal data.

Or, at least, they didn't require it. Until now.

The timing for the Malaysian telcom hack couldn't be worse for the Indonesian government. The Ministry of Communications and Technology is currently pushing through a new policy that would require everyone with a SIM card to register their national identity number and family card with their telcom provider. Anyone who fails to register before 28 Feb. 2018 will have their service cut.

The ministry says the measures are needed to cut down on instances of fraud. But the new regulation places all the risk on consumers. Indonesia has 32 laws related to the use of personal data for telecom, finance, banking, and security purposes. But it doesn't have a single law on the protection of personal data, explained Wahyudi Djafar, the deputy director of research at the Institute for Policy Research and Advocacy (ELSAM).

"Indonesia doesn't have a law on personal data protection but it's still requiring people to register data for their SIM card," Wahyudi said at a recent press conference.

Top ministry officials have tried to calm the concerns, explaining that the telcom providers won't receive any personal data from the government's records. They are only confirming that each personal ID number is actually in the registry.

"They are only validating it," Ahmad M. Ramli, the director general of information management at the ministry, said in a press conference. "So don't worry."

But the assurances weren't actually all that assuring. The telcom providers still need to have the government identity data to verify it in the first place, so while a hack might not expose all the personal information the government currently stores in its servers, it would still leak two forms of vital government ID.

With someone's NIK and family card information, anyone could open a bank account in someone else's name, including credit cards, and potentially obtain a fraudulent government ID card (KTP)—stealing a person's entire identity.

In Malaysia, citizens will be dealing with the fallout of this leak for years to come. But the risks in Indonesia still remain largely unknown. At least for now.