Cybersecurity experts have weighed in on how a trove of leaked personal data from telecommunications companies (telcos) could have been kept secure even after it was stolen.

Details of the theft, said to be the biggest in the country, are still unclear but is believed to be linked to the Malaysian Communications and Multimedia Commission’s (MCMC) Public Cellular Blocking Service (PCBS).

Previously, inspector-general of police Mohamad Fuzi Harun had said it was possible that the breach “occurred after staff from a company tasked with transferring the data took advantage of the situation”.

Lowyat.net founder Vijandren Ramadass (photo), whose tech portal first exposed the leak, told Malaysiakini that there were traces that the files had been transferred electronically through cloud storage service Dropbox.

“We did find traces of the data passing through Dropbox, but can’t confirm if it was before or after it was stolen.

“Whichever way it was, protecting it would have been as simple as making sure the data was encrypted with a password before it was transferred or uploaded,” Vijandren told Malaysiakini.

He added that the password or key to unlock the data should only be known to those authorised to handle the data.

Technology strategist and hacker Dinesh Nair, who expressed similar views, said this would have kept the data safe even if it was stolen.

“This way, even if it (the data) was stolen in transit, it would be useless without collusion from either sender or receiver to decrypt the data,” Dinesh said when contacted.

“The key is usually a long series of numbers, which on first look would look like gibberish,” he said, adding that the technology had been available for decades.

The hacker said if the encryption was good enough, it was unlikely that the key could be cracked. However, the keys can still be stolen if not kept secure.

Malaysiakini reported yesterday that an analysis of the leaked data showed that most of the telcos data filenames were marked PCBS, SKMM, or MCMC.

SKMM is the Malay abbreviation for MCMC.

The PCBS, launched in February 2014, was an initiative by the MCMC to provide a service that allowed stolen phones to be blocked from making calls, texting or accessing the Internet – even if the sim card is changed.

The PCBS was not managed by MCMC itself but outsourced to private firm Nuemera Sdn Bhd.

A telco source did not disclose whether the telcos personal data were surrendered to the MCMC or directly to the manager of the system, which is Nuemera.

Police have confirmed that they are investigating Nuemera over the breach.

Asked to weigh in on the outsourcing of the PCBS management, Vijandren said this would be unavoidable in the modern data age.

“However, there is no reason for the entire bulk of the data to be shared with any third party,” he said.

He said telcos should be able to develop their own system that would allow an authorised party access to cross-check information as and when necessary.

“This way the data always remains in the care of the data owners, and third parties are still able to get the up to date data without actually having complete unrestricted access to all the data,” he added.

He relented that with the amount of data being passed around today, leaks were unavoidable.

Thus he said, companies handling sensitive data need to prepare and have a proper policy in the event of such breaches.

Malaysiakini in this KiniGuide report explains the nature of the stolen data, which included a jobs portal, a foreign exchange trading platform and medical associations, which may have been sourced from separate cybersecurity breaches.

No personal data is published in this report. Section 45 of the Personal Data Protection Act 2010 provides for an exemption for data processed for journalistic and public interest purposes.

– M’kini