Pay just RM150 for details of 200,000 people, RM350 for 10 million

The Personal Data Protection Act 2010 prohibits the redistribution of personal data to a third party without explicit consent from the subject. (AFP pic)

PETALING JAYA: Hundreds of thousands of names of potential buyers, complete with personal details, can be purchased for a song even though it’s been six years since the Personal Data Protection Act came into force in Malaysia.

An investigation by FMT found that phone numbers, MyKad details and postal addresses of thousands of Malaysians who could potentially become clients of property and banking agents can be purchased for as little as RM150.

One such seller introduced himself as Robert.

He offers his services to property agents as well as those who need the financial backgrounds and purchase histories of their clients.

For RM350, Robert said he could offer 10 million sets of personal data including MyKad and phone numbers, as well as full names and addresses.

He was willing to go down to RM150 – but this would confine the list to those in the Klang Valley.

An individual who asked to remain anonymous told FMT he had done business with Robert before.

Convinced that he was dealing with a property agent, Robert had emailed him 200,000 names and personal details hours after RM150 was wired to his bank account.

The names were confirmed against publicly available databases such as that of the Election Commission.

Robert said many real estate agents had bought such data from him.

“If you cannot get the data, how can you be a real estate agent?” he said.

“How else do you get their numbers? It can’t all be based on referrals.”

Robert could run afoul of the law, as the Personal Data Protection Act 2010 (PDPA) requires that a person be clearly notified if his personal details will be kept for a purpose other than that for which it was collected.

It also prohibits the redistribution of such data to a third party without explicit consent from the subject.

Since coming into force, the Department of Personal Data Protection has conducted checks and visits to companies to ensure they comply with the law.

Robert also revealed that he had retrieved the data from a third party, but stopped short of identifying the main source.

He said he also had the data of car owners, including their names, phone numbers, number plates and car models.

“For RM350, you can get between 10,000 and 50,000 (sets of personal data).”

A lawyer told FMT that the sale of personal data is not surprising.

Foong Cheng Leong, who chairs the Kuala Lumpur Bar’s information technology committee, said while the sale of data is common, it is no longer done as openly as before due to PDPA which came into force in 2013.

But he said enforcement has been poor.

Despite media reports on data breaches such as the leakage of millions of mobile phone numbers two years ago, no action has been taken, Foong said.

In 2017, mobile phone numbers, identification card numbers, home addresses, IMEI and SIM card data of 46.2 million customers of at least 12 Malaysian mobile phone operators were leaked online.

“We do not know why there has been no prosecution. Perhaps due to the difficulty of conducting a data leakage investigation, data may be held by numerous data processors and rogue employees may have accessed them without permission,” said Foong.