Malaysia has one of the lowest organ donation rate in 2016, globally. Furthermore, in December 2017, there are about 21,778 people still on the waiting list for organ transplants – despite an increase in the number of organ donors.

As such, the government has been encouraging more people to come forward as organ donors, however, this might be all for naught due to a reported leakage of personal details of donors. Malaysia’s 220,000 pledged organ donors and their next-of-kin (NOK) have allegedly had their details leaked online, reported technology news forum Lowyat.net.

The leaked file contained data updated till 31 August 2016, and it was believed that the leak took place as early as September in the same year. The details consist of the organ donors’ full name, identification card (IC) number, home address and telephone numbers, including those belonging to their NOK.

Leaked data may have originated from central database

According to Lowyat.net, the leaked information is similar to the online “Organ Donor Pledger” sign-up form, but it has ascertained that the data does not originate from it.

“The leaked data contains sign-up data from government hospitals as well as National Transplant Resource Centre across the country,” the article writes, “which would mean that it has been retrieved from a central database.”

The forum also added that the files were dumped on 19 August 2016, and was uploaded to a popular file sharing service online on 29 September 2016.

The files were divided by year of registration, starting from 1997 to 2016. However, files before January 2009 are rendered useless as the data are filled with “auto generated dummy data”.

A screenshot showing the leaked files from 1997 to 2016. Photo credit: Lowyat.net
A screenshot showing the leaked files from 1997 to 2016. Photo credit: Lowyat.net

On the other hand, the files from January 2009 to August 2016 are filled with complete personal details of 220,000 registered as organ donors and their NOK, as well.

“This leak contains one very serious implication where it reveals personal information of a nominated next-of-kin,” Lowyat.net writes. As such, “this doubles up the actual number of records leaked to 440,000, and also links two individuals to each other in a binding relationship – whether it may be husband/wife, siblings or parental.”

Aside from those personal details of the pledged organ donors, the data also consists of an annual breakdown of the organ donors’ demographic data – categorised by age group, race, sex, state of origin as well as types of organs.

A screenshot detailing the demographic characteristics of organ pledgers for 2015. Photo credit: Lowyat.net
A screenshot detailing the demographic characteristics of organ pledgers for 2015. Photo credit: Lowyat.net

Organisations warned to heighten data security measures

Though the forum has already notified the Personal Data Protection Commission (PDPC) before publishing their findings, they urged all organisations to exercise care and diligence while handling personal data.

All government agencies involved in the collection of personal data have also been notified to immediately institute data security measures to prevent further data breaches for official databases, such as this.

Commenting on this issue, Secretary-General Muhammad Sha’ani Abdullah of the Malaysian Digital Economy Consumer Association, says that “repeated incidences by government agencies that collate massive personal data make the Personal Data Protection Act 2010 that only covers private entities meaningless.”

“Incidences of such data breaches involving government agencies should also be investigated by Public Services Department and the head of department should be taken task,” he adds.

Inspector-General of Police, Tan Sri Mohamad Fuzi Harun said the Federal Commercial Crime Investigation Department is probing the case in collaboration with MCMC and PDPC. Photo credit: Mohamad Shahril Badri Saali/New Straits Times
Inspector-General of Police, Tan Sri Mohamad Fuzi Harun said the Federal Commercial Crime Investigation Department is probing the case in collaboration with MCMC and PDPC. Photo credit: Mohamad Shahril Badri Saali/New Straits Times

The PDPC, Malaysian Communications and Multimedia Commission (MCMC), and the Federal Commercial Crime Investigation Department of the police force assured that they are probing the case.

Inspector-General of Police Tan Sri Mohamad Fuzi Harun has also asserted that the police have summoned the administrators of Lowyat.net as reports on data breaches originated from the forum.

“Previously, the forum had reported on the data leakage involving 56 million telco users. Now, the same forum has revealed another data leakage,” he said.

“Part of the investigation is to establish whether the latest report came from the same source,” he added. MIMS

Read more:
Data breaches expose personal and medical information of thousands of patients
Protecting data privacy: How do governments deal with data breaches—keeping health insurance companies in check
Malaysia's MOH clarifies that organ donations are not categorised as Muslim or non-Muslim

Sources:
http://www.themalaymailonline.com/malaysia/article/yet-another-data-breach-personal-details-of-over-200000-local-organ-donors#el0zmvALT5b9PEcq.97
https://www.nst.com.my/news/nation/2018/01/328140/personal-data-220000-organ-donors-leaked-online
https://www.lowyat.net/2018/153125/personal-details-220000-malaysian-organ-donors-next-kin-leaked-online/
https://www.themalaysianinsight.com/s/34025/
https://www.thestar.com.my/tech/tech-news/2018/01/23/data-of-over-220000-possible-organ-donors-leaked-online/
https://www.nst.com.my/news/nation/2018/01/328253/authorities-probing-data-breach-220000-malaysian-organ-donors
https://www.nst.com.my/news/nation/2018/01/328266/police-summon-lowyatnet-admins-over-organ-donors-data-leak