A massive database that was apparently sourced from the Election Commission (EC) MySPR system has been put on sale at a well-known database marketplace. Said to contain more than 800,000 users, the database also includes pictures of selfies and MyKad which was part of the system’s Electronic Know Your Customer (eKYC) implementation.
Before we go further, here is a refresher: members of the public were able to register themselves as voters online when the MySPR Daftar website was launched in 2019. With the implementation of automatic voter registration earlier this year though, MySPR Daftar can be deemed obsolete but it does not mean that EC has abandoned the system.
Voters still have to utilize the MySPR online system if they want to change their voting address. Similarly, Malaysian citizens that reside outside of the country as well as eligible members of security forces and related frontline agencies that have to be on duty during election day also need to use the system to apply for a postal vote.
As part of the registration process, users need to submit a picture of their MyKad alongside a selfie of them holding the card for eKYC-based verification. This also applies to the members of the Malaysian Armed Forces (ATM) and Royal Malaysian Police (PDRM) although they have to show their army or police ID instead.
As highlighted by Twitter user @acaiijawe, the seller claimed that the database also includes plenty of other details such as full name, ID number, e-mail address, birth date, hashed password, and full address. In addition to that, it also contained more than 1.6 million eKYC images with a total file size of 67GB.
Camnelah hackers ni boleh dapat semua data Pengundi dari database SPR ni.
Maklumat lengkap siap nama, IC, nombor telefon, email dan alamat. Tak cukup dengan tu, ada gambar IC dan selfie sekali!
Murah plak tu harganya . Kasihan kita semua.
Harap ini semua palsu. pic.twitter.com/y9A107q1FT
— Faisal Rahim (@acaiijawe) November 9, 2022
For this particular treasure trove, the seller is asking for around RM9,401 (USD2,000) although they specifically requested to be paid in either Bitcoin or Monero cryptocurrencies. The seller also claimed that they are in possession of the full electoral roll with details of 22 million voters although the listing focused solely on the MySPR online system’s eKYC data.
Even though @acaiijiwe’s tweet went viral just yesterday, the listing took place way back in April according to our own visit to the database marketplace. In fact, MySPR database was listed much earlier than the database belonged to the National Registration Department (JPN) which was actually done by the same seller and caused a huge commotion back in May.
Despite it being listed seven months ago, the MySPR thread is still generally active as the seller’s last thread bump took place yesterday. It is not known whether the EC is aware of this listing but regardless of that, it is rather concerning to see that the seller is not only still on the loose despite the JPN’s episode but they are also still actively looking for buyers.
The post MySPR Database With 800,000 Users Is Being Sold Online: Contains Selfies and MyKad Images appeared first on Lowyat.NET.