Viral data‑leak claims stem from pre‑2022 intrusions, unrelated to current systems, says National Security Council

KUALA LUMPUR, June 21 — The National Security Council (MKN) has clarified that claims of a personal data leak circulating on social media refer to information believed to have originated from cybersecurity incidents reported before 2022 and are not linked to any current platform.

The council through the National Cyber Security Agency (NACSA), said the information was believed to have been unlawfully obtained through cyber intrusions targeting various systems prior to 2022 and is now being redistributed through online platforms without authorisation.

“NACSA emphasises that providing, disseminating or granting access to information obtained unlawfully constitutes an offence under Malaysian law, even if the service is hosted outside the country,” the council said in a statement said.

The NACSA, together with MyNIC and the Personal Data Protection Department, has taken immediate action, including engaging foreign service providers to remove and block access to the websites concerned, it added.

At the same time, NACSA is working closely with the Royal Malaysia Police to conduct digital forensic investigations aimed at identifying those involved and bringing them to justice.

The council also advised Malaysians not to use or obtain services that offer access to unlawfully acquired information, as doing so contributes to the spread of cybercrime and violates Malaysian law.

“This incident further underscores the urgent need to strengthen national legislation. The Cyber Crime Bill, which will be tabled in Parliament, introduces more comprehensive provisions and stricter penalties for various forms of cybercrime, including system intrusions and data theft,” MKN said.

The proposed provisions in the bill include the criminalisation of unauthorised access to, or damage of, computer systems and programmes without lawful authority or legitimate purpose, and defining identity theft involving the unauthorised use of another person’s identity with the intent to commit a crime as an offence. 

The council explained that the Cyber Security Act 2024, which came into force in August 2024, requires National Critical Information Infrastructure (NCII) entities to implement comprehensive protection measures, including compliance with codes of practice, risk assessments and periodic security audits to enhance the country’s cyber resilience.

It also pointed out that MyDigital ID, with more than 16 million registrations, is not a personal data storage system but functions as an identity verification platform that authenticates users directly with the National Registration Department, helping to ensure the authenticity of user identities and making digital transactions more secure.

“The widespread adoption of MyDigital ID across government and private-sector applications, including telecommunications and banking services, will further strengthen digital transaction security and help prevent identity theft,” the council said.

It reiterated the government’s priority to ensure that the benefits of digital transformation can be enjoyed safely by all Malaysians through a cybersecurity-focused approach, and that the NACSA and the council were ready to address any potential cybersecurity threats. — Bernama