KUALA LUMPUR – The Inland Revenue Board (IRB) is refuting links to a news report on the alleged sale of private data.
In a statement, the agency said it is only a user of the MyIdentity system and not its owner that was alleged to cause the data leak.
“Internal investigations have found no leakage of data and information as alleged. The IRB is also working with the National Registration Department (NRD), National Cyber Security Agency (Nacsa) and National Security Council (NSC) to look into all possibilities surrounding this allegation.
“The IRB guarantees that all data and information stored by the agency is safe because it is protected with recognised data security technology.”
Earlier today, technology blog lowyat.net reported that personal data allegedly obtained through the MyIdentity system was being sold online for 0.2 bitcoin (about RM35,000).
It was said to be advertised in online forums known to sell stolen personal data.
The blog reported that, based on the advertised sample, the data set is said to contain details such as date of birth, email, gender, mailing address, telephone number, MyKad number, permanent address, race and religion.
The seller also alleged that the data set has four million entries obtained from the MyIdentity API through the IRB website.
Meanwhile, Bernama reported that Bukit Aman Commercial Crime Investigation Department director Datuk Mohd Kamarudin Md Din said the investigation was launched after the NRD’s deputy director lodged a report at the Precint 7 police station in Putrajaya yesterday.
He said the police will obtain a report from NRD’s information technology division and inspect the NRD and IRB systems to determine the source of the alleged leak, adding that the police are looking at the allegations from all angles.
“Our initial action is to block the data from being sold. Police do not rule out the possibility of the involvement of insiders but a thorough investigation will be carried out in collaboration with the Communications and Multimedia Commission, CyberSecurity Malaysia and Nacsa,” he said in a special press conference at Jinjang Police Station here today.
Mohd Kamarudin said the case is being investigated under Section 4 (1) of the Computer Crimes Act 1997.
Meanwhile, the IRB in a statement today denied the claim, adding that IRB is only the user and not the owner of the MyIdentity system.
“An internal investigation was conducted and found no leakage of data and information as alleged.
“The IRB is also working with the NRD, Nacsa and NSC to look into all possibilities regarding the allegations,” read the statement.
It also assured that all data and information stored by the agency is safe because it is protected by recognised data security technology.
The IRB said it regretted the claim because it can erode public confidence, especially taxpayers, in the security of their data and information.
“The IRB will also like to advise the public to be more careful with such viral reports and does not rule out the possibility that it was spread by irresponsible parties to mislead and deceive the public,” read the statement. – The Vibes, September 28, 2021