The Star  

Nov 19, 2017
Sometime between May and July 2014, Malaysia suffered its biggest ever data breach, involving the personal details of 46.2 million subscriptions of all 14 telcos in the country, among others.

Nobody knew anything about it then. The breach was only discovered in October this year when someone tried to sell this treasure trove of information on the forums of technology news portal LowYat.net.

This means that unknown persons have had three years to make use of this data, for anything from scams to identify theft.

The breach is being investigated, and the police say they have solid leads.

But the telcos have not officially disclosed the breach to their customers, although they have come up with press statements to say they too are investigating.

Industry regulator the Malaysian Communications and Multimedia Commission (MCMC), for its part, has not kept the public informed of the gravity of the situation, nor has it set up any kind of mechanism for us to check our data.

In the nearly one month since the news first broke, despite the growing media coverage and even a few front page stories in The Star, most Malaysians are still in the dark.

This lack of transparency was what prompted tech blogger and IT expert Keith Rozario to set up SayaKenaHack.com, a website he coded in his spare time that allowed Malaysians to just key in their MyKad numbers to find out if the data breach contained their personal information.

The day The Star ran a story on his effort, our office was inundated by calls from members of the public. Was this site legitimate? Could it be trusted?

We assured them it could, because we had already verified this with other tech experts before we ran the story, while Rozario himself has been quite transparent about how he had set up the site.

Thanks to him, a few Malaysians can enjoy the peace of mind that comes from knowing their personal information was not leaked.

Unfortunately, most of us have found that our personal information has been leaked and is being used by unscrupulous people to target us for scams and to even sign up for mobile subscriptions under our names.

For this much needed public service – filling in the gaping chasm of inactivity on the part of the telcos concerned – the MCMC decided to block the site, citing the Personal Data Protection Act (PDPA).

Rozario himself is facing a public backlash on social media, with conspiracy theorists accusing him of running a phishing site so that he can mine their personal data – despite the fact that, thanks to the 2014 breach, the data is already widely available for free in many online forums, including hacker forums.

In the tech community, Rozario would be known as a “white hat hacker”, one of the good guys, as opposed to the black hats who have malevolent motives.

He set up SayaKenaHack.com because “geeks” and “hackers”, as he described them, would know how to check if their data has been leaked and what to do about it. He set up the site so that the “ordinary joe” could do the same.

“It’s emphasizing that normal people don’t deserve that knowledge while geeks and hackers do,” he wrote on his blog about the MCMC blocking his site.

“This is elitism, and it’s wrong.”

Certainly, many of us saw the value in his service, with more than 150,000 people using his site within 36 hours of The Star first running the story of SayaKenaHack.com.

But at midnight tonight, the understandably frustrated Rozario will be taking down his verification site.

It is a pity that instead of lauding his effort, too many of us decided to shoot the messenger.

(https://www.thestar.com.my/opinion/columnists/the-star-says/2017/11/19/of-white-hats-and-whistleblowers/#TfQbquY3X2GHK6YH.99)