Although the Malaysian government agency involved refutes it, cybercriminals have repeatedly pointed to a specific API for their successful data heist.

The personal data of over 22m Malaysian born between 1940 and 2004 has reportedly been leaked and put up for sale online.

The leaked data includes names, identity details, addresses, dates of birth, mobile numbers and photos, among other sensitive information. Online, the 160GB of stolen data is for sale at US$10,000. The anonymous seller had stated that the source of the data was the ‘myIDENTITI’ application programming interface (API), which allows various government agencies to access the personal data of Malaysians.

This is the second time that such sensitive personal information has been put on sale on the internet due to a compromised API. Last year in September, the first such incident involved the leakage by the National Registration Department of personal information of four million Malaysians through a compromised application programming interface.

Affected citizens are at risk of being victimized by cybercriminal groups that can use the information to commit identity fraud, take out loans in their name illegally, or commit other financial fraud using the identity information on file.

Furthermore, according to Phillip Ivancic, Head of Solutions Strategy (APAC), Synopsys Software Integrity Group: “This data breach highlights the importance for organizations to implement best- practice application security principles. Organizations around the world should create a holistic approach to application security via services such as threat modeling and architecture reviews.”

Ivancic strongly encouraged all Malaysians to change their (various) passwords and, if they have not already done so, “ensure that they have signed up to get alerts from official credit bureau sources to alert them if any loan, ‘Buy Now Pay Later’ or credit card loan is taken out in their name.”

The principles of strong passwords are already well established: everybody can follow simple guidelines to create regularly-changed, hard-to-hack passwords, as well as be attuned to suspicious online prompts and phishing attempts.