Most cell phone numbers in Malaysia are leaked and sold to scammers. Are telcos to be blamed?

• 73% of cell phone numbers in Malaysia are leaked or sold to scammers, equivalent to more than 21 million people connected to local telcos.
• Other top private information leaks are login passwords and names for Malaysia, Taiwan, and Thailand, followed by the address, country, date of birth, and email leaks. 

If you are in Malaysia, use a number from local telco providers, and have been getting more scam calls than normal, you are not alone. 73% of cell phone numbers belonging to more than 21 million people in Malaysia have been leaked or sold to scammers. The figure makes Malaysia the country with the most cell phone numbers breached based on Gogolook’s 2022 Annual Fraud Report.

The report looked into private information leakage and upstream operations in the scam industry chain across countries – Taiwan, Japan, Thailand, Korea, and Malaysia. Besides cell phone numbers, the report also stated that the top private information leaks are login passwords and names for Malaysia, Taiwan, and Thailand, followed by the address, country, date of birth, and email leaks. 

“The danger of personal data breaches for login passwords may lead to stolen online banking or social network accounts. When scammers access names, phone numbers, and even payment and shopping records, they can easily initiate phone and message attacks. If names and addresses are leaked, people may soon receive “unsolicited packages with payment requests on arrival,” Gogolook said.

To recall, Malaysia recently deployed new reporting systems through its National Scam Response Centre, where the public can report fraud cases by dialing the hotline 997 to fight against fraud effectively. The Royal Police Malaysia (PDRM) has collaborated with Whoscall to enhance the fraud number database. The collaboration would mean fraud number database sharing from the PDRM CCID portal to the Whoscall data system, making it the most updated and reliable caller ID application for Malaysians to protect themselves against fraud crimes.

Under Malaysian law, service providers must keep customers’ data secure – unfortunately, that hasn’t been the case in Malaysia. This is not the first report highlighting the leaking of phone numbers in Malaysia. In 2017, it was unveiled that a massive data breach had seen the customer data of more than 46 million mobile subscribers in Malaysia leaked onto the dark web.

A local media site, CiliSos, recently spoke to Uma Annamalai, Director of Policy & Strategic Planning for JPDP – the government agency in charge of personal data in Malaysia – and she says there are multiple ways your information can be leaked out. “They generally fall under three broad categories: an insider in the company leaks the data; the company fails to implement proper SOPs; external attacks by hackers.”

All that stolen or leaked data will inevitably end up in the hands of data brokers, which CiliSos found out is sold for a mere one sen in Malaysia. “If you do the math, they’re selling these master lists for about RM50 for 5,000 contacts. Getting only RM50 for one sale doesn’t make good business sense, so imagine how many people they’re selling the master list to and how many are buying it. If you ever wondered why 20 different marketers are calling you, there’s your answer,” the report noted.

What are the laws tied to telcos in Malaysia?

Private information leaking was often the first step leading to fraud or scam cases. According to Whoscall, powered by Gogolook, a 100 million download caller ID application with the most extensive database in East Asia and Southeast Asia, the Company has identified over 405.4 million scam calls and messages that took place globally in 2022. 

The report also showed that scammers prioritize text messages for high penetration rates due to its low costs feature, which contributed to 76% of messages being used as the first contact’ in fraud cases. “This is exceptionally true, with 95% of fraud attacks in Japan and up to 80% of fraud attacks in Taiwan, Korea, and Malaysia using messages instead of calls,” Gogolook said.

According to Fahmi Fadzil, Malaysia’s Minister of Communications and Digital, during an interview with a local radio station highlighted that only about 20 companies had been fined for data breaches in the past six years, at RM24,000 each on average. Lamenting this, the Minister opined on the need to review the laws related to data protection, given that data is a national treasure.

Accordingly, the Minister announced that the JPDP seeks to improve the 2022 Proposals before tabling a draft bill to amend the Personal Data Protection Act 2010 (PDPA). PDPA is the law regulating the processing of personal data regarding commercial transactions. It is considered an outdated law as it has remained the same and has yet to catch up with technological developments in the last 12 years.

The penalty for non-compliance is between RM100,000 to RM500,000 and/or one to three years imprisonment. However, recent public consultation on PDPA suggested certain amendments, including the requirement for data users to appoint a data protection officer; mandatory data breach notification; data processors being obligated to comply with the security principle under the PDPA; introduction of data portability and introduction of blacklisted countries such that transfers of personal data to these countries will be prohibited.

Timeline-wise, the Minister intends to present a draft amendment bill to the PDPA at the Malaysian Parliament before the end of this year. Until then, business operators, including telco providers in Malaysia, are considering operating with no heavy repercussions for loosely handling the data of its users in today’s day and age.

In short, even with laws being amended, enforcement should be effective, and telco providers in Malaysia should be made responsible. After all, there’s a legal doctrine called res ipsa loquitor that says if the telcos were under the control of our data, the very fact that our data was exposed could raise an assumption that they were negligent, and they will have to prove that they were not.

The public also needs to be aware of the current modus operandi of scammers occasionally, Gogolook said. For instance, the emerging scam type in Malaysia is to receive OTP authentication codes. “At times, it can be tough to differentiate scams, but with technology, you can now download Whoscall as your first line of defense against scammers as it screens all incoming messages and calls through its proprietary database with over 1.6 billion phone number entries in real-time globally,” the report concluded.

---

---

---

---