Maybank Database Leaked (Again)?! Or Did It??
Every time I came across news about data leaks, especially those involving major banks in Malaysia, my heart skipped a beat. The thought of having my data leaked somewhere within the trenches of the web makes me feel exposed as if I’m about to be attacked or bombarded with scam calls at any moment!
Luckily, the news I read is not about a bank I use. Not so lucky, though, for those who use Maybank…
Well, on July 23rd, 2024, a dark web forum ignited a firestorm of concern when an unnamed threat actor claimed to possess a database allegedly belonging to Maybank2u, the online banking platform of Malaysia’s (and arguably Southeast Asia’s) largest bank, Maybank. Claiming to have compromised sensitive user data, the perpetrator demanded USD $18,000 in cryptocurrency, sparking widespread alarm and concerns among the bank’s customers.
The forum post in question detailed an alleged leak containing personal information and login credentials of Maybank2u users. The list of compromised data reportedly included:
- Name
- Password
- Address
- Gender
- Date of Birth
- City
- IC Number
- Contact Number
- State
- Postcode
To bolster the credibility of their claim, the threat actor provided sample data and a Telegram contact for potential buyers, explicitly stating a preference for Chinese customers (which makes me believe that this might be a China-based threat actor, though this is yet to be confirmed). The initial asking price was USD $18,000, payable in either USDT or BTC.
Yet, as the dust begins to settle, questions emerge about the legitimacy of this alleged leak. Is this a genuine data breach, or merely another attempt to exploit fear for financial gain?
Maybank Says “Chill, We Got This,” But Should We Believe Them?
Maybank swiftly issued a statement refuting the claims. According to the bank, their systems remain secure, and all customer information is fully protected. The bank reiterated its commitment to data security, emphasising continuous monitoring and implementation of robust fraud countermeasures such as Secure2u for transaction authentication and cooling-off periods for high-risk activities.
Maybank’s assurance came with a cautionary note for customers to stay vigilant, protect their user IDs, passwords, and personal details, and remain wary of phishing attempts and other malicious activities. But how sure are we that they are telling the truth?
A Pattern of Deception?
Despite the alarming nature of the initial claims, closer inspection of the sample data revealed inconsistencies. Key elements typically found in secure login databases, such as security phrases and images, were conspicuously absent. This raised suspicions that the data might not be fully authentic.
Further scepticism emerged when the listing, including screenshots and sample data, vanished from the dark web forum within hours of its posting. This abrupt removal added to the suspicion that the alleged leak might be a scam, a tactic to sell off unrelated user data under the guise of a major banking breach.
This incident is not an isolated case. It bears a resemblance to previous attempts to exploit customer data for profit. Just a week prior, an effort was made to resell data from a 2017 U Mobile leak as a new breach. Similarly, in 2023, another alleged Maybank data leak involving 1.8 million records was debunked when the bank confirmed that the data did not match their system records. It seems like these data breaches have been recurring in Malaysia for quite some time!
These recurring incidents highlight a disturbing trend in which cybercriminals capitalise on fear and uncertainty, attempting to sell outdated or fabricated data as new breaches. This modus operandi not only undermines trust but also creates a persistent state of anxiety among users.
Should We Settle for “Good Enough”?
In light of this incident, Maybank has reaffirmed its commitment to customer security, urging users to report any suspicious activity immediately. The bank’s quick response and transparent communication are commendable, helping to mitigate panic and reassure customers of their data’s safety. I mean, give credit where credit is due.
However, the repeated occurrence of such incidents calls for a more robust approach to cybersecurity. We cannot be entirely sure that if the next one will still be a hoax or not. As a customer, I do not want to just sit and wait till my data is laid open to the public – not that I am 100% sure that it hasn’t happened already.
Financial institutions must flag an alert on this event and give everything they have to at least try to soften the blow if (or when) the incident happens again.