Exposed: The Alarming State of Data Breaches in Malaysia (2024)


data breaches in Malaysia

Data breaches have become increasingly common worldwide, causing significant damage to both individuals and companies.

Malaysia has been particularly hard hit by these incidents, with several high-profile data breaches occurring in a short period.

In 2020, the personal information of millions of Malaysians was compromised in a significant data breach.

In December 2022, a data breach allegedly involving a banking institution as well as a multimedia and broadcast agency was reported, with millions of Malaysians’ personal information being sold online.

The Alarming Reality of Data Breaches in Malaysia

security alert on smartphone

Several prominent Malaysian organizations, such as AirAsia, SPR, JPN, Accountant General’s Department of Malaysia, iPay88, and KipplePay, have already experienced data leaks as we step into 2023.

For instance, in 2022 alone, Maybank, WhatsApp, AirAsia, Carousell, and many more have suffered data breaches.

Some of these incidents resulted in sensitive personal data, such as credit card details and identity card numbers, being exposed to unauthorized individuals.


Maybank Malaysia

Maybank, one of the largest banks in Malaysia, was recently the subject of alleged data leak claims.

However, after conducting an investigation with a third party, Maybank confirmed that the data leak allegations were false and that no customer data has been compromised

These incidents highlight the need for stronger cybersecurity measures and public-private collaborations to safeguard personal data.



iPay88, a payment gateway provider in Malaysia, suffered a data breach in May 2022 that potentially compromised customers’ card data.

Since then, iPay88 has been working with cybersecurity experts to investigate and contain the breach. 

Bank Negara Malaysia (BNM) has also been involved in the investigation and has confirmed that the breach was confined to iPay88’s payment card systems and did not involve the wider payment system in Malaysia.

While the exact number of affected customers and merchants has not been disclosed, iPay88 has stated that the breach did not include card transactions through point-of-sale (POS) machines, nor did it affect transactions through Android terminals, eWallet and QR payments, online banking, buy-now-pay-later and batch card payment methods. 

iPay88’s statement was issued more than two months after the supposed data breach, and the company claims to have contained the problem, with no further suspicious activity detected since July 20, 2022. 

Additionally, iPay88 has implemented various new measures and controls to strengthen the system’s security against any further incidents.

The delay in iPay88’s public disclosure of the breach has raised concerns among some, including Lembah Pantai MP Fahmi Fadzil, who questioned why it took iPay88 so long to make the matter public. 

The Malaysian government has taken notice of the incident, and both the Communications and Multimedia Ministry and Bank Negara Malaysia are taking steps to address the breach and protect affected customers.


Kiplepay e-wallet for students

Kiplepay, an e-wallet operator and Green Packet subsidiary in Malaysia, reported a potential data breach through a third-party payment gateway provider.

The breach was caused by a cybersecurity incident that affected iPay88’s payment gateway system

The breach may affect KiplePay users who performed transactions using the third-party payment gateway system.

KiplePay assured its customers that it is taking the necessary steps to safeguard their data and interests, and will continue to work with Bank Negara Malaysia (BNM) to address the issue. 

KiplePay has notified its users of the potential data breach by email and is offering free card replacements to those affected.

Overall, KiplePay reported a potential data breach through a third-party payment gateway provider, but no confirmed reports of data loss or misuse resulting from the breach have been reported at this time. 

KiplePay has taken steps to address the issue and is offering free card replacements to affected customers.

It is important to note that data breaches have occurred in other Malaysian organizations, highlighting the need for continued vigilance and attention to data security.


AirAsia Malaysia

AirAsia, a Malaysian multinational airline company, was the subject of alleged data leak claims in November 2022, as confirmed by the Malaysian government and various news sources.

The hacker group Daixin Team claimed responsibility for the attack, which compromised the personal data of five million passengers and all employees of AirAsia.

The ransomware attack was on redundant systems, and AirAsia has launched an investigation into the alleged data breach. 

The attackers have shared two CSV files containing personal information of passengers and employees, but it is not clear what sum the hackers demanded in exchange for the decryption key. 

The stolen personal data includes both employee information and passenger booking information.

In summary, the incidence of cyberattacks on Malaysian entities has been on the rise in recent years, as evidenced by the increasing number of databases and leaks related to hacking that can be found on various forums and search engines. 

AirAsia Group is not the only Malaysian air carrier to fall victim to cyberattacks; there have also been reports of data security incidents at Malaysia Airlines.


MySejahtera App Malaysia

MySejahtera, a popular Malaysian app for contact tracing and vaccination registration, was subjected to a significant data breach in 2021 that affected three million users. 

The latest Auditor-General’s 2021 report (Series 2) confirmed that the personal information of vaccine recipients was compromised due to a breach in the MySejahtera app. 

The breach was discovered in January 2023, and the stolen data was downloaded without authorization from five different IP addresses.

The breach took place between October 28 and October 31, 2021, when a “Super Admin” account under the MyVAS system, which is used in vaccination centers to record and issue Covid-19 vaccination certificates, obtained access to the users’ personal data. 

It is essential to note that the breach was not the result of any vulnerability in the MySejahtera app itself but rather a flaw in the MyVAS system. 

This data breach emphasizes the significance of maintaining robust cybersecurity measures and protocols, particularly when dealing with sensitive personal data.

Most Significant Data Breaches: Alarm over Sale Personal Data

Date Company/Organization Type of Breach Data Exposed
March 24 ChatGPT Data Leak Personal data, credit card information
February 10 Reddit Internal Docs, Limited Information Limited contact information, advertiser information
January 30 JD Sports Personal Information Names, contact details, financial information
December 31 Slack Account Takeover Private code repositories
November 11 AirAsia Ransomware 5 million passengers and all employees’ data
November 1 Dropbox Phishing Attack API credentials and Github repositories
October 15 Shein Data Breach Personal information (39 million customers)
October 11 Toyota Unauthorized Access Email addresses and customer control numbers
October 10 Singtel Illegal Data Access Personal data of 129,000 customers and 23 businesses
October 7 Facebook Malicious Apps Facebook login credentials
August 10 Cisco Ransomware Attack Yanluowang ransomware gang breached its corporate network
August 4 Twilio Social Engineering Attack Data pertaining to 125 customers was accessed
July 26 Uber Data Breach Covered up a data breach that impacted 57 million users; paid $100,000 to hackers to keep it quiet
July 22 Twitter System Vulnerability Phone numbers and email addresses attached to 5.4 million accounts were breached
May 7 SuperVPN, GeckoVPN, and ChatVPN Data Breach Full names, usernames, country names, billing details, email addresses, and randomly generated password strings


These incidents highlight the growing threat of data breaches and cyber attacks globally.

As such, it is crucial for organizations and individuals to take the necessary measures to safeguard their data and prevent unauthorized access.

Organizations should implement robust security measures, such as firewalls, encryption, and multi-factor authentication, to protect their networks and systems.

Individuals should also take precautions, such as using strong passwords, avoiding suspicious emails or websites, and enabling two-factor authentication whenever possible, to protect their personal information.

Final takeaways

In conclusion, Malaysian individuals and organizations need to prioritize cybersecurity and data protection measures to prevent such data breaches from occurring.

It is essential to ensure that companies and agencies comply with regulations and invest in robust cybersecurity solutions.

These breaches pose a significant risk to individuals and companies, leading to financial loss, reputational damage, and potential identity theft.

If you are a service provider, Acronis Cyber Protect Cloud is a must-have tool to improve your cybersecurity and simplify your operations.

Acronis Cyber Protect Cloud

Acronis Cyber Protect Cloud is a powerful all-in-one solution that brings together backup, AI-based anti-malware, antivirus, and endpoint protection management.

This integration and automation make it easy for service providers to use and increase productivity while reducing operating costs.

Exabytes CyberSecurity Solution

Related articles:

How to Prevent Data Exfiltration to Protect Your Sensitive Data

How Acronis Protection Solution Maximizes Enterprises Cyber Security