Malaysia telecommunications mega data breach

On 30 October 2017, Malaysian technology forum Lowyat.net revealed that the personal data of 46.2 million mobile subscribers was circulating for sale online — a figure exceeding Malaysia's entire population of roughly 32 million, because it included prepaid SIMs, inactive accounts, and subscribers holding multiple lines. It remains the largest data breach in Malaysian history.

What happened

In mid-October 2017, Lowyat.net received a tip that someone was attempting to sell several large databases of Malaysian personal information directly on its forums. After verifying the data, the site alerted the Malaysian Communications and Multimedia Commission (MCMC), which confirmed both the breach and the staggering 46.2 million figure within days.

The leaked records spanned at least a dozen operators and mobile virtual network operators (MVNOs), including Maxis, Celcom, DiGi, U Mobile, Altel, RedTone, TuneTalk, XOX, Enabling Asia, Friendimobile, MerchantTradeAsia and PLDT. The compromised fields were unusually rich for a telecom leak.

Data exposed

For each subscriber the data set included:

Full name and billing/postal address
Mobile telephone number
SIM card and IMSI (International Mobile Subscriber Identity) numbers
Handset model
National ID card (MyKad) numbers

The combination of MyKad numbers, IMSI data and phone numbers made the trove especially dangerous, enabling SIM-swap fraud, identity theft and highly targeted scam campaigns.

Source and attribution

The origin was never conclusively established. Investigators noted the data appeared to date from around 2014, suggesting it may have been extracted from a historic regulatory data set or leaked by an insider with access to aggregated subscriber records. Some analysts characterised the incident as a likely inside job, given the breadth of operators involved and the centralised nature of the data. No threat actor was ever publicly identified or charged.

Impact and response

The breach exposed essentially every mobile-using Malaysian to elevated fraud risk. The MCMC and Royal Malaysia Police opened investigations, but as of parliamentary updates in March 2018, the probe remained open with no charges. The incident became a catalyst for debate over enforcement of Malaysia's Personal Data Protection Act 2010 (PDPA) — which at the time did not apply to federal and state government data — and over the security obligations of telecom operators.

Why it matters

The 2017 telco breach is Malaysia's defining privacy incident: a nationwide exposure of identity-grade data that touched nearly the whole population, yet produced no successful prosecution and no clear accountability. It exposed structural weaknesses in how Malaysian carriers and regulators stored and shared bulk subscriber data, and it drove subsequent reforms to strengthen the PDPA and breach-notification expectations across the sector.

Timeline

October 19, 2017

Lowyat.net, a Malaysian tech forum, receives a tip that someone is trying to sell large databases of Malaysian personal data on its own forums.

October 30, 2017

Lowyat.net reports the breach publicly; the Malaysian Communications and Multimedia Commission (MCMC) confirms an investigation.

October 31, 2017

MCMC confirms 46.2 million mobile subscriber records were exposed, spanning at least 12 telcos and MVNOs.

November 1, 2017

Investigators suggest the leak may trace to a 2014 data set requested by a regulator or be an inside job; the source is never conclusively established.

March 1, 2018

Deputy minister tells the Dewan Rakyat (parliament) the police and MCMC probe remains ongoing; no perpetrator is publicly charged.

Sources

bbc.comhttps://www.bbc.com/news/technology-41816953

computerweekly.comhttps://www.computerweekly.com/news/450429289/Personal-data-of-462-million-Malaysia-mobile-subscribers-leaked

tripwire.comhttps://www.tripwire.com/state-of-security/46-2-million-mobile-numbers-leaked-online-malaysian-data-breach

thestar.com.myhttps://www.thestar.com.my/news/nation/2017/10/31/msia-sees-biggest-mobile-data-breach-over-46-million-subscribed-numbers-at-risk-from-scam-attacks-an/

infosecurity-magazine.comhttps://www.infosecurity-magazine.com/news/malaysian-data-breach-entire/

Related incidents

Data breachResolvedMay 15, 2017

Bell (2017 breach) data breach (2017)

In May 2017, the Bell telecommunications company in Canada suffered a data breach resulting in the exposure of millions of customer records. The data was consequently leaked online with a message from the attacker stating that they were "releasing a significant portion of Bell.ca's data due to the…

Victim: Bell (2017 breach)
Records: 2.2M

Data breachOngoingJune 11, 2026

University of Nottingham student-records breach claimed by ShinyHunters (2026)

The University of Nottingham confirmed a cyber incident after the ShinyHunters extortion group claimed to have stolen around 40 GB of data from its student-records system, exposing roughly 455,000 email addresses along with names, passport numbers, and fee-payment details.

Victim: University of Nottingham
Records: 455.0K

Data breachResolvedMay 23, 2026

Charter data breach (2026)

In May 2026, the telecommunications company Charter Communications (the parent company behind the consumer broadband and cable brand Spectrum) was named by the ShinyHunters group in a "pay or leak" extortion campaign.

Victim: Charter
Records: 4.9M

Data breachOngoingApril 10, 2026

DB Telecom: a 40k-customer database put up for sale

Around 10 April 2026, a threat actor put DB Telecom (Service Telecom) — a Marseille-based IP-telephony operator on the Orange/Or-Tel network — up for sale, leaking a database of roughly 41,470 customers and 2,835,372 records including names, contacts, plaintext passwords and internal emails.

Victim: DB Telecom
Records: 2.8M