Malaysia's National Security Council clarifies viral data leak origin from pre-2022 cyber intrusions

The National Security Council (NSC) clarified on June 21, 2026, that personal data leaks circulating on social media originate from cyber intrusions that occurred before 2022 and are not linked to current digital platforms or systems ^{[1, 2, 3]}. Authorities emphasized that the leaked data was obtained unlawfully from various systems prior to 2022 and is now being redistributed without authorization ^{[1, 2, 3]}.

The National Cyber Security Agency (NACSA) stated that providing, disseminating, or granting access to illegally obtained information constitutes an offence under Malaysian law, even if the information or services are hosted outside the country. "NACSA emphasises that providing, disseminating or granting access to information obtained unlawfully constitutes an offence under Malaysian law, even if the service is hosted outside the country," it said ^[2].

In response, NACSA, along with MyNIC and the Personal Data Protection Department, has taken immediate steps including cooperating with foreign service providers to remove and block websites distributing the leaked data ^{[1, 2, 3]}. NACSA is also working closely with the Royal Malaysia Police to conduct digital forensic investigations aimed at identifying and prosecuting those responsible for the cybercrimes ^{[1, 2, 3]}.

The Cyber Security Act 2024, which came into force in August 2024, requires National Critical Information Infrastructure (NCII) entities to implement protection measures such as compliance checks, risk assessments, and security audits to strengthen cyber defenses ^{[1, 2, 3]}.

Malaysia is preparing to table the Cyber Crime Bill in Parliament. The bill will introduce more comprehensive provisions and harsher penalties for cybercrimes including system intrusions, data theft, and identity theft. Offenders may face fines up to 500,000 Malaysian Ringgit and prison terms of up to seven years ^{[1, 2, 3]}. The bill aims to provide stronger legal tools to combat cyber threats. A statement said, "网络犯罪法案将引入更全面的条文及更严厉的刑罚，以打击包括系统入侵及数据盗取等各种网络犯罪，违法者可被判罚款不超过50万令吉、监禁不超过7年，或两者兼施" ^[3].

MyDigital ID, an identity verification platform connected to the National Registration Department, has over 16 million registrations. The NSC clarified that MyDigital ID is not a personal data storage system but is widely used by government and private sectors—including telecommunications and banking—to secure digital transactions and prevent identity theft ^{[1, 2, 3]}.

Authorities continue monitoring and enforcing Malaysia's cyber laws. The Cyber Crime Bill is expected to be tabled in Parliament soon to strengthen penalties and protections against data theft and cyber intrusions ^{[1, 2, 3]}.