KUALA LUMPUR, June 21 — The National Security Council (NSC) has clarified that claims of a personal data leak circulating on social media refer to information believed to have originated from cybersecurity incidents reported before 2022 and are not linked to any current platform.
It said the information was believed to have been unlawfully obtained through cyber intrusions targeting various systems prior to 2022 and is now being redistributed through online platforms without authorisation.
“The National Cyber Security Agency (NACSA) emphasises that providing, disseminating or granting access to information obtained unlawfully constitutes an offence under Malaysian law, even if the service is hosted outside the country,” the NSC said in a statement today through NACSA.
The NACSA, together with MyNIC and the Personal Data Protection Department, has taken immediate action, including engaging foreign service providers to remove and block access to the websites concerned.
It is also working closely with the Royal Malaysia Police to conduct digital forensic investigations to identify those involved and bring them to justice.
The NSC advised Malaysians not to use or obtain services that offer access to unlawfully acquired information, as doing so contributes to the spread of cybercrime and violates Malaysian law.
“This incident further underscores the urgent need to strengthen national legislation. The Cyber Crime Bill, which will be tabled in Parliament, introduces more comprehensive provisions and stricter penalties for various forms of cybercrime, including system intrusions and data theft,” it said.
The proposed provisions in the bill include criminalising unauthorised access to or damage to computer systems and programmes without lawful authority or legitimate purpose, and defining identity theft involving the unauthorised use of another person's identity with the intent to commit a crime as an offence.
The NSC added that the Cyber Security Act 2024, which came into force in August 2024, requires National Critical Information Infrastructure entities to implement comprehensive protection measures, including compliance with codes of practice, risk assessments and periodic security audits to enhance the country's cyber resilience.
It noted that MyDigital ID, with more than 16 million registrations, is not a personal data storage system but functions as an identity verification platform that authenticates users directly with the National Registration Department, helping to ensure the authenticity of user identities and making digital transactions more secure.
“The widespread adoption of MyDigital ID across government and private-sector applications, including telecommunications and banking services, will further strengthen digital transaction security and help prevent identity theft,” said the NSC.
It reiterated the government’s priority to ensure that the benefits of digital transformation can be enjoyed safely by all Malaysians through a cybersecurity-focused approach, and that the NACSA and the council were ready to address any potential cybersecurity threats.
