Malaysia’s SOCSO suffered data breach, personal data including names, blood types, salary allegedly compromised

MALAYSIA: The Malaysian Social Security Organisation (SOCSO/PERKESO) has become entangled in a recent data breach scandal after a group, self-identifying as “ethical hackers”, posted a forum thread revealing a breach in SOCSO’s portal.

SOCSO in a statement last Friday (8 Dec) confirmed a cyber attack on its systems, database and website since last 2 Dec.

Last Tuesday, a hacker group posted on BreachForums, alleging the lack of proactive efforts by SOCSO officials in addressing security concerns.

“Dear fellow Malaysians, please be aware that these individuals have not only emptied your wallets but also failed to work diligently, resulting in the compromise of your personal information. ”

“Consequently, you are unable to access the social security services you rightfully deserve. Regrettably, this group has not made any efforts to address your concerns. Instead, they are celebrating their dear minister’s birthday, ” the post wrote.

The hacker condemned the responsible group’s lack of effort and accused them of deceiving the public by misleadingly attributing the system’s collapse to technical issues.

Moreover, within the same thread, the hacker shared what seemed to be a collection of SOCSO’s internal documents.

This included sample data featuring users’ personal information encompassing details like full names, IC numbers, race, gender, blood type, addresses, phone numbers, email addresses, salaries, employer codes, business names, and emergency contacts.

The shared information consisted of 5 CSV files totaling 16MB in size.

The following day, the group issued an update asserting their status as reputable hackers, emphasizing their need for financial support to fuel their commitment to identifying vulnerabilities in network systems.

Additionally, they provided further samples in a CSV file containing personal data.

In a subsequent thread, the group uploaded two videos showcasing what seemed to be a recording of a meeting at SOCSO discussing the security breach.

The videos featured a presentation deck outlining the sequence of events and the measures taken to rectify the issue.

SOCSO’s response

On 8 Dec, SOCSO issued an official statement, confirming that the system, information database, and website of the agency have been hacked since 2 Dec.

SOCSO, while confirming the matter, notified that a crisis management plan was activated on the same day, with the information and communication technology (ICT) unit mobilized for system recovery purposes.

It was clarified that the initial modus operandi of the cyber attack was identified to disable all of SOCSO’s infrastructure used for daily operations.

“However, the initial success of SOCSO’s ICT unit in regaining control of the system eventually led the hacker to change tactics by attempting a ‘character assassination’ attack on SOCSO’s image. ”

“SOCSO assures that the planned efforts driven by this hacker will not hinder our service to contributors, employers, and the public. ”

“Hence, all benefit payments, compensations, and pension disbursements to contributors and their beneficiaries will continue as scheduled,” the statement wrote.

SOCSO’s doubts on the “leaked data”

Regarding the leaked data on the dark web, initial investigations revealed doubts about the authenticity, completeness, and relevance of the stolen information.

It was discovered that the data cluster targeted had never been accessed by SOCSO since its establishment in October 1971.

They mentioned this was due to a data cluster that was stolen, which had never been accessed by SOCSO since its establishment in October 1971.

The statement highlighted previous cyber intrusions, stating that this incident was part of a series of attacks, with the most recent one contained successfully in September.

“The irresponsible actions of the hacker constitute an attack on the nation’s interests, hence all forensic findings will be shared with authorities to prevent similar episodes from occurring against other agencies,” it added.

In a subsequent press release on Sunday (10 Dec), SOCSO addressed ongoing forensic investigations, focusing on allegations regarding parties involved in the cyber attack.

Datuk Seri Mohammed Azman Aziz Mohammed, the Group Chief Executive Officer of SOCSO, disclosed that the agency, in collaboration with the National Security Council (MKN), agreed to initiate a police report based on findings from an internal forensic investigation, indicating elements of commercial crime.

“I give my assurance that whoever is the mastermind of this cyberattack, will be brought to justice. ”

“Socso will not compromise when it comes to the protection of personal data, which is of paramount importance to the nation,” he said in the statement.

Detailed information regarding the allegedly stolen data posted on the dark web cannot be divulged yet due to the ongoing investigations, he mentioned.

Mohammed Azman highlighted SOCSO’s commitment to continuously enhance its ICT infrastructure under the guidance of MKN, the National Cyber Security Agency (Nacsa), and relevant authorities.

Their objective is to adopt robust practices ensuring no vulnerabilities exist for hacker exploitation.

He outlined four significant measures taken to address the cyberattack, initiated when discovered around 7 pm on 2 Dec.

These measures encompassed activating the Business Continuity Plan (BCP), fortifying SOCSO’s ICT system, conducting an internal forensic investigation, and implementing a communication strategy.

“At this stage, the authorities are satisfied with the steps taken by Socso, but further follow-up actions will be carried out from time to time, in close cooperation with the authorities,” he said.

Mohammed Azman emphasized post-crisis efforts aimed at optimizing the functionality of all SOCSO systems to safeguard the welfare of the 573,000 eligible beneficiaries registered nationwide.

In the most recent post on the BreachForums discussion thread, posted last Friday, the hacker accused SOCSO of aiming to completely “silence them” as a resolution to the issue.

The hacker reiterated their proposal to be involved in cybersecurity developments and additionally threatened to auction off all the data they had obtained.

Human Resources Minister warns against baseless speculation amid investigations

According to Malaysian media outlet The Edge Malaysia, Human Resources Minister V Sivakumar issued a statement urging all parties to allow the internal forensic team sufficient space to conduct a thorough investigation into the SOCSO cyberattack incident.

The minister emphasized the importance of ceasing baseless speculations circulating on social media, as these rumours not only obscure the situation but also have the potential to provoke unrest.

“This is to safeguard Socso’s function as an agency that provides social protection services, so as not to be jeopardised by these cyberattacks.”

“The ministry once again gives its assurance that no one will escape the law if they are found to be the mastermind of the Dec 2 incident,” he said, highlighting the successful thwarting of the attack through recovery efforts, with ongoing implementation of mitigation measures.