A threat actor has claimed responsibility for leaking the employee database of the Railway Assets Corporation (RAC), a key federal statutory body under Malaysia’s Ministry of Transport. The RAC, established under the Railways Act 1991 (Act 463) and fully operational since August 1, 1992, was set up as part of the government’s efforts to advance Malaysia’s railway industry to the standards of fully developed countries. The corporation manages and develops the nation’s railway assets, having taken over from the Malayan Railway Administration (KTM), now known as Keretapi Tanah Melayu Berhad (KTMB).
The purported leaked database contains a wide array of sensitive employee information, including:
- users_id.csv: This file reportedly contains fields such as id, name, email, email_verified_at, password, type, avatar, lang, mode, created_by, plan, plan_expire_date, requested_plan, delete_status, is_active, default_pipeline, remember_token, created_at, updated_at, messenger_color, dark_mode, active_status, and last login.
- detail.csv: This file allegedly includes id, user_id, employee_id, date of birth (dob), department, designation, joining date, exit date, gender, address, mobile number, salary type, salary, branch location, bank identifier code, bank name, account number, account holder name, emergency contact, created_by, created_at, updated_at, show_budget_planner, religion, nationality, marriage status, employment status, service status, employment type, state headquarters, show_budget_utility, is head of department (is_hod), is finance user, is executive, and is human resources (is_hr).
If verified, the breach could expose the personal and professional details of RAC employees, posing serious privacy and security concerns. The leak highlights the critical need for robust cybersecurity measures to protect sensitive information within governmental organizations.
