Malaysians' personal data is actively being sold on the dark web, with at least one advertisement from those with the information appearing every two days, suggesting lax data protection protocols among local companies.
This has raised alarm among enforcement agencies as data breach has been identified as the main cause behind the skyrocketing number of scams in the country.
CyberSecurity Malaysia (CSM) Cyber Security Responsive Services acting division head Mohd Zabri Adil Talib said the agency had identified more than 10 accounts used by threat actors, a term to describe persons or groups that partake in actions intended to cause harm in the cyber world.
These actors that use usernames such as MYMASTRD, ACTIFEDOT, DREAMSTIME, NIMORI and DESORDEN are actively promoting Malaysians' personal data on the dark web.
Some even set up databases with information they siphoned from various sources to provide search services to those willing to pay for the data.
Zabri said CSM's surveillance found that some threat actors appeared to be competing to be the main brokers in Malaysia.
"You can pay as low as RM8 and they will provide you with all the information you need. Or you can even subscribe to their database for RM2,000, for example.
"This is one of the new ways to make money and that is why these hackers will continue to hack to obtain more valuable and latest data," Zabri said, adding that privacy and security settings on the dark web hampered efforts to identify these threat actors.
He said some culprits could be foreigners residing in Malaysia.
Personal data found on the dark web include those allegedly siphoned from national agencies, ministries, telecommunications providers, financial institutions, broadcasting companies and messaging applications.
"13 million Malaysian bank leak", "1 million Singapore-Malay-sia passenger record" and "60k private data from big tech Malay-sian company" — these are some of the descriptions threat actors use to lure buyers.
Zabri said there had been a rise in data breaches in the past five years, peaking at 50 reported cases last year, a 44 per cent increase from 28 cases in 2021.
The surge in cybercrime reflects the rise in data breaches.
The Bukit Aman Commercial Crime Investigation Department revealed that the number of cybercrime cases nearly doubled from 10,753 in 2018 to 19,175 in 2022.
Zabri said Malaysian businesses' preparedness against security threats was poor, with the majority of them viewing improving cybersecurity as an additional expense.
"We buy gadgets such as computers and smartphones, but we don't install any software protection or security applications. This puts us at risk of being hacked by cybercriminals."
He said the risk of being hacked was higher for companies with highly valuable data.
He cited legal loopholes and the absence of a body with the authority to look into data breaches in Malaysia as the reasons Malay-sians' personal data was being targeted and actively being sold.
The apparent flaw in the Personal Data Protection Act, which does not require businesses to report data breaches, allowed firms to stay silent about them to avoid penalties and damage to their reputation.
"If you look at the General Data Protection Regulation in Europe, they make it mandatory for companies involved in data breaches to report them and the fine is lower if they report earlier and it will double up if they report later.
"We need a cybersecurity act and a commission with the authority to audit businesses that may have experienced a data breach," Zabri said.
He said firms should be responsible and not only report data breaches, but also inform their customers of data leaks so that they can change their passwords.