Your phone and MyKad number are being sold to spammers on Whatsapp… for 1 sen
At the end of every spam call asking if you want to buy real estate, donate money, or take on a too-good-to-be-true part-time job, you probably wonder, “How the hell did they get my number?”. But deep down you know the truth. Oh, you know your number has been leaked somewhere… the question is: where?
Well, together with our friends at Jabatan Perlindungan Data Peribadi (JPDP), the government agency responsible for personal data in Malaysia, we set out to find out:
- How much personal data really costs, and
- How they were leaked in the first place.
JPDP has its own answers, however we also asked someone from an industry quite associated with spam calls – a real estate agent. We got a bit of a shock when he revealed that…
Your personal details are sold for ONE Sen
You would think that spammers and scammers would pay hundreds or thousands of Ringgit for your phone number, IC details and addresses, but… no. Actually, to those spam callers, you are just another number worth 1 sen:
Mike (not his real name) told us he has been received WhatsApp messages from data brokers selling what are known as “masterlists” – basically lists of hundreds upon thousands of names, phone numbers and possibly MyKad numbers and addresses of residents of:
- a given geographical area (such as Old Klang Road or Kelana Jaya), or
- a housing development (such as an apartment)
Mike was willing to show us these messages because he considers himself one of the “smart” real estate agents. He does not post these messages, but says that several … “contract” real estate agents could buy the master lists and use them for marketing purposes.
But here’s the thing – if you do the math, they sell these master lists for around RM50 for 5,000 contacts. Getting only RM50 for one sale obviously doesn’t make good business sense, so imagine how many people they sell the master list to, and how many people buy it. If you’ve ever wondered why 20 different marketers are calling you, you’ve got the answer.
But that leaves us with the question:
How did they get your data in the first place?
We spoke to Puan Uma Annamallai, Director of Policy and Strategic Planning for the JPDP, and she says there are several ways your information can be leaked, but they usually fall under three broad categories:
- An insider in the company leaks the data
- The company fails to implement proper SOPs
- External attacks by hackers
An inside leak is the one we most often see on TV – the disgruntled or greedy employee or someone recently fired seeking revenge. But more often than not, it’s mainly for the money.
“Some people who have access to the data store it and they have connections to people with wrong intentions or commercial criminals. Then they sell the data to these criminals.” – Puan Uma, in an interview with CILISOS
However, it takes two hands to steal, so these insiders are usually enabled because companies often fto implement proper SOPs when it comes to data security.
Sometimes the cause of the leak doesn’t have to be malicious…it can also be accidental, like when a health center in the US caused the health information of 100,000 patients to be leaked when they didn’t properly dispose of their hard drives. To prevent this, some companies have SOPs tighter than the cork on a cold bottle of cilisos; such as prohibiting workers with access to personal data or servers from taking recording devices (smartphones, USB sticks, external hard drives) where the data is stored.
“Every organization is required to train their staff in line with the Personal Data Act 2010 … because a lack of training is one of the main reasons why breaches happen.” – Puan Uma, in an interview with CILISOS
Last but not least, if a company’s cyber security is not up to snuff, Malicious hackers can huff, puff and blow up the firewalls. Although not as common as the previous two, Puan Uma says data breaches due to hackers are not unheard of. No one is really 100% safe, not even the former Malaysian Prime Minister – his Telegram account was hacked a couple of months ago.
And generally, any stolen or leaked data will end up in the hands of data brokers, like the person who WhatApp’d Mike. These individuals act as middlemen for data, selling it to fraudsters, telemarketers, criminal syndicates or on the dark web where it can be further misused.
Malaysia has a law to protect your data, but it’s not perfect (yet)
The Personal Data Act (PDPA) 2010 is intended to protect the personal information of Malaysians in business transactions and e-commerce from misuse. Any company or individual can be affected by one fine of up to RM500,000, imprisonment of up to 3 years or both if they mess up:
“…the penalty under the PDPA is very severe and anyone, from the top of the company to the bottom, can be prosecuted.” – Puan Uma, in an interview with CILISOS
But the problem is that the PDPA is not perfect. In fact, it is not only a problem in Malaysia because cyber laws are known to be at least 5 years behind today’s technological developments and probably the gap is even wider today. The PDPA was introduced in 2010 and it has yet to catch up on some aspects of technology developed in the last 12 years or so.
Puan Uma told us that there are plans by the JPDP to patch up PDPA to address some of these issues, the first of which is require that companies appoint a data protection officer.
Data protection officers are basically people who are specially trained to ensure that a company complies with the PDPA and report data breaches to the JPDP Data Protection Commissioner. Puan Uma added that it is a move that has been made by countries like Singapore for apparent success and we are following suit.
But what if the company outsources the data to another company? According to Puan Uma, it is quite common these days for companies to engage with these third parties, which are known as data processors.
Here’s an example of how it works: An online shopping platform, Beli Besar Sdn Bhd, can hire Data Cekap Sdn Bhd, a company specializing in data processing, to handle their data. In this case, Data Cekap will be the data processor for Beli Besar. The PDPA right now doesn’t really cover data processors, and that JPDP aims to fix that with legislative changes.
Eventually, the JPDP will do breach notifications are mandatory under the PDPA. As it is now, it is common practice for companies to inform the JPDP when a data breach occurs, but companies are not required to do so under the PDPA. So yes, addressing this will help companies become more accountable when a leak occurs and the JPDP can then initiate investigations where necessary. JPDP actually has more changes pendingbut for now these are the three most important ones they will highlight.
What if you find out your data has been leaked?
Call JPDP if you know your data kena bocor in commercial transactions
Sometimes you don’t even need to get hacked or have your data stolen by a wayward employee— you can give it away by not reading forms properly. We’re willing to bet that none of you read the fine print every time you click “I agree” on websites and apps, or fill out forms. Much of the time, these permissions include giving your permission for your data to be used for tracking or marketing purposes.
Puan Uma also advises everyone be more careful when posting your personal information on social media platforms:
“A lot of people put their phone numbers and addresses on social media profiles and it could potentially end up in the wrong hands.” – Puan Uma, in an interview with CILISOS
It’s never nice to know that our data is out there being bought and sold like cars at a used dealer. Still there is things you can do with it, the first of which would be to submit a complaint to the JPDP either:
When you do, the JPDP will launch an investigation and if the offending company is found to be a swindler, JPDP will take them to court (like this case which was eventually settled out of court). You could Also try to sue the company yourself, but the fact that the PDPA is criminal law means that does not work for civil actions.
Also We’ve also previously done an article on how to stop receiving spam calls, so if you’re being bombarded by spammers, that might help.