Malaysiakini logo
This article is 5 years old

Putrajaya ends contract with firm over one of country's largest data leak

Editor's note: Nuemera has responded to the parliamentary written reply which can be read here.


Many Malaysians may have noticed an uptick of marketing and scam calls in recent years where the caller even have your personal details such as MyKad number.

This came as no surprise when the personal data of most mobile phone users were leaked from the very system contracted by the Malaysian Communications and Multimedia Commission (MCMC) to protect such users in 2017.

The government has since ended its contract with the contractor, Nuemera (M) Sdn Bhd, and criminal investigations on the matter were handed over to the Attorney-General's Chambers.

This was confirmed in a written reply from the Communications and Multimedia Ministry to Lembah Pantai MP Fahmi Fadzil (above) today.

Fahmi had asked how was it possible that Nuemera, which was contracted to manage MCMC's Public Cellular Blocking Service (PCBS), could fail to protect the personal data of 46.2 million mobile phone accounts leading to the leak and what actions have been taken against the company.

The PCBS, launched in February 2014, was an initiative by the MCMC to provide a service that allowed stolen phones to be blocked from making calls, texting or accessing the Internet - even if the sim card is changed.

For this purpose, the Malaysian Central Equipment Identity Register (MCEIR) was created, which is a database of International Mobile Equipment Identity (IMEI) number, a unique serial that can identify every mobile phone in the country.

All major telcos in the country had surrendered the IMEI number as well as other personal data, such as names, mobile phone number, home address and MyKad number for the system.

The written reply was scarce on details of how the leak happened but said action has been taken against Nuemera following an investigation by the MCMC, Personal Data Protection Department (JPDP) and police.

"Following the investigation, on Jan 26, 2018, MCMC had suspended Nuemera's appointment as it was found that the company breached basic provisions in the contract between MCMC and Nuemera.

"On May 21, 2018, MCMC issued a notice to Nuemera informing of MCMC's decision not to renew the PCBS agreement for another five years as provided as an option in the contract agreement," it said.

On the criminal investigation front, the ministry said JPDP had investigated the matter under Section 9 of the Personal Data Protection Act 2010.

Section 9 states that "A data user shall, when processing personal data, take practical steps to protect the personal data from any loss, misuse, modification, unauthorised or accidental access or disclosure, alteration or destruction...".

The ministry said the matter was also investigated under Section 130 of the same act which concerns the unlawful collection of personal data as well as Section 4 of the Computer Crimes 1997 which concerns unauthorised access with intent to commit or facilitate the commission of a further offence.

"The investigation papers have been completed and was sent to the Attorney-General's Chambers for action," it said.

In November 2017, Malaysiakini reviewed the leaked data and found evidence that it was linked to the PCBS under the MCMC which outsources it to Nuemera.