KUALA LUMPUR – More personal data belonging to Malaysians may have been leaked in the latest of a series of major breaches that have beset the country in recent years.
According to an article by Safety Detectives, a publishing group of cybersecurity experts, privacy researchers, and technical product reviewers, the data leak was identified to have originated from a company headquartered in Petaling Jaya offering a point of sale (POS) software service mostly used in eateries and retail stores.
The information of potentially thousands of these affected business premises and their staff may have been potentially compromised in this latest leak, along with some one million of their customers, mostly in Malaysia.
However, in a statement to The Star, StoreHub denied there was a leak despite a server misconfiguration in one of its Amazon Web Service (AWS) Elasticsearch servers that left data exposed, claiming it fixed the vulnerability within 24 hours of becoming aware of it.
“Upon being informed by AWS, the vulnerability was patched and resolved on the same day,” the company was quoted as saying, adding that it was informed via email by AWS on Feb 3.
StoreHub also claimed that its internal investigation found that no data was downloaded maliciously during the period, and that records did not show any spike in the volume of data transfer to external sources.
“No sensitive financial data or passwords were contained in the vulnerability. No tokens within the dataset can be used to login into a merchant account.”
Based on the report by Safety Detectives, the supposed leak involved over 1.7 billion individual records and over 1 terabyte of data.
It noted that some of the customers' personally identifiable information (PII) that may have been leaked include their full names, phone numbers, home addresses and emails, as well as data related to the payments made, such as transaction dates and items ordered.
Separately, it said among the leaked details from the businesses include the employees’ names, their check-in and check-out times from work, the store’s name, address, and email.
According to Safety Detectives, the exposed data was stored on the software provider’s Elasticsearch server that was neither encrypted nor password-protected.
The leak was first discovered on January 12, although the server content may have been exposed from as early as November last year.
Safety Detectives said the server was suspected to have only been secured between late January and early February this year after attempts to dig for more information on February 2, following a request from the Malaysia Computer Emergency Response Team (MyCERT), found it had been protected.
The Vibes has reached out to CyberSecurity Malaysia for confirmation and update on the matter and is awaiting its response.
StoreHub was unreachable for comment as of the time of writing.
Based on checks on its website, the company prides itself as one of Southeast Asia’s fastest growing technology companies serving over 15,000 businesses across the region, and offers a slew of products ranging from POS software, inventory management, reporting and analytics, and integrated logistics.
A POS software is a computerised network linked to checkout terminals used to help businesses process and record their sales transactions, accept different payment options from customers and prepare invoices or receipts.
In its article, Safety Detectives said the exposed PIIs leave victims vulnerable to theft and fraud from bad actors who may have gotten their hands on the details, and warned affected businesses and customers to be on high alert.
Malaysia has seen an increase in data leakages in recent years, with the latest involving thousands of files containing more than 1.7 million sets of personal data linked to the Pikas programme being easily accessible from the International Trade and Industry Ministry website.
Among other major data breaches include the selling of personal details of 22.5 million Malaysians supposedly stolen by hackers from the National Registration Department reported earlier this month and the compromise of some 46.2 million mobile number subscribers in October 2017.
Lembah Pantai MP Fahmi Fadzil, on June 6, had urged for an immediate amendment to beef up the Personal Data Protection Act 2010, following the surge in data breaches in the last five years. – The Vibes, June 16, 2022
_pic._Credits_Unsplash_licence..png)
.jpeg)
.jpg)
