Malaysiakini logo
This article is 5 years old

UM saga: Staff personal data, login IDs, passwords leaked online

Several hours after the University of Malaya (UM) claimed no data and information were affected by the hacking of its online e-pay link, it is now reported a large amount of personal data of its staff, login IDs and passwords have been dumped online.

Technology site lowyat.net last night reported that personal data of both academic and non-academic staff, including payslips and bank account details, were leaked to an anonymous file-sharing site.

“This first part of the leaked data contained payslip information of UM academic and non-academic staff members, including individual bank names and bank account numbers.

“The bank account numbers were matched to staff names, MyKad numbers as well as staff ID numbers.

“The second part was somewhat smaller in size but contained additional confidential information of Employees Tax (IRB) numbers, EPF numbers, department, branch location, position as well as salary information,’ lowyat.net reported.

Also leaked within the second part, it said, was up to 24,000 login ID’s and hashed passwords believed to be from UM’s e-pay link, which was reportedly hacked on Thursday.

The site further warned that more data, even that of students, were at risk of further leaks as the leaked files allegedly contained back-end passwords and database credentials.

Lowyet.net asserted that it has notified authorities prior to the publishing of the article.

When contacted by Malaysiakini, UM confirmed it is aware of the matter and is looking into it.

In a statement yesterday addressing the hacking of its e-pay online payment portal, UM claimed to have shut the system immediately after the breach was detected.

“Both the network and e-pay systems were fixed by afternoon (Oct 18) and the network reactivated. Even so, the e-pay system is still undergoing tests and will be activated soon.

“No data or information were affected from the incident and the university information system forensic team is conducting further investigations,” UM said.

As at the time of writing, the UM e-pay site is still inaccessible.

This is the latest episode in the saga affecting the varsity, which has come under siege following the controversial speech by its vice-chancellor Abdul Rahim Hashim at the Malay Dignity Congress in Shah Alam on Oct 6.

The congress was organised by UM’s Malay Excellence Studies Centre in collaboration with several other local universities.

In his speech at the congress, Rahim allegedly claimed the change in government after GE14 had eliminated Malay political dominance and asserted that Malay privileges were being questioned.

Rahim is also alleged to have warned others not to challenge the social contract.

Several quarters have called for Rahim’s resignation, citing the purported racial elements in his speech and his alleged failure to look after the university’s financial and student welfare.

This included student activist Wong Yan Ke, who, after receiving his graduation scroll on Monday, unfurled a placard accusing the VC of racism, among others, and called for his resignation.

The university has since lodged a police report against Wong, who is currently being probed under Section 504 of the Penal Code for intentional insult with intent to provoke a breach of the peace.

Response to Wong’s solo protest has been mixed, with university staff and student associations, the public and political leaders divided. Many supported his right to protest, while others supported free speech but said the convocation was not the right time and place for it.

Others have called for his degree to be withdrawn.