Malaysian PM’s Telegram, Signal accounts hacked as officials deny data security crisis

PM Ismail Sabri’s accounts were breached by ‘irresponsible parties’, his office says, as a report shows most Malaysians are likely to have faced a data breach at least once
The hacking is among a series of major security lapses of late, and comes as authorities face accusations of running ‘troll farms’ and ‘fake accounts’

Malaysia

Hadi Azmi

Published: 8:00pm, 9 Aug 2022

Why you can trust SCMP

The private messaging accounts of Malaysia’s prime minister and a cabinet minister have reportedly been hacked, the latest in a series of major data breaches over the past few months, although the government maintains it has no reason to believe the country is facing a data security crisis.

In a statement on Monday, Prime Minister Ismail Sabri Yaacob’s office confirmed that his personal Telegram and Signal accounts had been hacked and abused by “irresponsible parties” to scam people. It advised anyone receiving messages from the compromised accounts to ignore them.

The next day, the premier confirmed the incident in parliament and advised the public to be wary of being duped by hackers. “To users, like myself and others, do not be influenced by what we receive,” Ismail Sabri told reporters at the Senate lobby.

Malaysia Foreign Minister Saifuddin Abdullah. Photo: AP

Foreign Minister Saifuddin Abdullah also urged the public to ignore messages purportedly being sent by him over Telegram, and to report those texts to the authorities.

“My Telegram account was hacked by an irresponsible party who misused my name and picture through the application,” Saifuddin said in a post on Twitter.

Neither the prime minister nor the foreign minister elaborated on the nature of the hacks.

Conversations on the Telegram app are not end-to-end encrypted by default, unlike Signal, which is among the most secure messaging platforms that is publicly available.

Why data leaks in Malaysia are on the rise – and what’s being done about it

Just last week, the Prime Minister’s Department, which houses Malaysia’s National Cybersecurity Agency and National Security Council, told parliament that there had been no breaches of government data despite reports from external parties, and claims of Malaysian databases up for sale online.

“Data leaks from government agency databases, such as the ones that went viral previously, did not happen,” Special Functions Minister Abd Latiff Ahmad said on Thursday.

Abd Latiff’s parliamentary reply echoed an earlier position taken by Home Minister Hamzah Zainuddin, who in June said the personal records of some 22.5 million Malaysians that purportedly went up for sale online two months earlier were stolen from “the internet” and other public and private agencies, rather than entities under his ministry’s purview.

In May, Defence Minister Hishammuddin Hussein said the data leaks “will not jeopardise national security”, and that the home ministry was “more than equipped” to manage the situation.

According to cybersecurity firm Surfshark, Malaysia was the 11th most-breached country in the second quarter of 2022. Photo: EPA-EFE

Statistics from Netherlands-based cybersecurity company Surfshark show that globally, Malaysia was the 11th most-breached country in the second quarter of 2022, with 665,200 accounts compromised over the period – a 733 per cent hike from the previous quarter.

“In Southeast Asia … 64 out of every 100 [people], have been affected by data breaches. However, in Malaysia, this number goes up to 138 per 100 people,” said Agneska Sablovskaja, a data researcher at Surfshark. “Statistically speaking, an average Malaysian has been affected by data breaches at least one time.”

Surfshark found that a total of 44.2 million Malaysian accounts had been hacked since 2004, eclipsing the country’s 32.7 million population.

If two ministers have their accounts hacked, and one of them is the prime minister, it raises serious questions about our security

Syahredzan Johan, DAP

The government’s repeated denials of data breaches have done little to quell public anxiety, with broad debates on social media on a perceived increase in spam and phishing attempts in recent months, particularly over text messaging.

Legal activist and politician Syahredzan Johan from the opposition Democratic Action Party criticised the government’s lackadaisical attitude over the whole situation.

“If my Telegram account got hacked, it would be no surprise. I’m a nobody. But if two ministers have their accounts hacked, and one of them is the prime minister, it raises serious questions about our security,” Syahredzan said.

Troll farm allegations

The government has also been accused of engaging in “Coordinated Inauthentic Behaviour” across various social media platforms.

Meta, the parent company of Facebook, Instagram and WhatsApp, said last week in a report that the Malaysian police force had been operating a “troll farm” that engaged in a coordinated effort “to corrupt or manipulate public discourse by using fake accounts and misleading people about who is behind them”.

“Although the people behind it attempted to conceal their identity and coordination, our investigation found links to the Royal Malaysia Police,” said the company in its Quarterly Adversarial Threat Report.

Malaysia bans party-hopping lawmakers to ease political turmoil

Meta said it had removed 596 Facebook accounts, 180 pages, 11 groups, as well as 72 Instagram accounts for engaging in online trolling activity such as “posing as independent news entities” and promoting the police “while criticising the opposition”.

Meta said the network had managed to garner a following of about 427,000 users on Facebook, and another 15,000 users on Instagram, boosted by a minimal advertising spend of US$6,000 for both platforms.

In response to Meta’s report, the Malaysian police denied any links to the troll farm and said in a statement that it was collecting further information on the allegation.

Post