Earlier this week, Malaysiakini published an analysis of the leaked telco data, suggesting that they might have been destined for a system designed to deter mobile phone theft, set up by the Malaysian Communication and Multimedia Commission (MCMC).
This telco data, containing the identities of some 46.2 million customers, was part of a larger trove of stolen information first reported by tech website lowyat.net on October 19.
According to the police, Nuemera Sdn Bhd is the company being investigated over the data leak, but they stopped short on providing details of the investigation.
What is even more interesting is that Nuemera is also the company that is being sued by the government for failure to pay goods and services tax (GST) amounting to RM988,351.82.
But, is there a connection between these two events?
It all began in 2005 when mobile phone theft was on the rise. Official numbers the year before capped the amount of stolen devices to 100,000, but authorities believed those figures to be higher.
That very year, Nuemera was set up to deal with that problem and the fledgling company immediately started working with the Energy, Water and Communications Ministry to develop a defensive system that disabled and blocked stolen mobile phones.
The system worked like this: if a phone was stolen, all the user had to do was lodge a report with the telco provider, who would forward the complaint to the relevant ministry or agency tasked with handling communications matters – in this case, the MCMC.
The agency will immediately deactivate the device through a central database that stored a unique 15-digit code found on all handsets used nationwide. This code is called the International Mobile Equipment Identity or IMEI and no two codes are the same.
Usually when a call is made through a phone, this code is recorded by the telco provider. But as there are multiple telco providers, it only made sense to create a centralised system which would make the entire blocking process easier.
Two years later, in 2007, the ministry announced that Nuemera was appointed to establish, operate and manage the mobile phones database. So after a report has been lodged, the details will be sent to Nuemera, who will then issue an immediate alert to all other local telco providers notifying them of the stolen handset.
At this juncture, what Nuemera needed to do was to get telco companies to cooperate but this demanded that providers pay a small amount for every respective number submitted to the database.
There are not much details on how Nuemera was contracted the job. A check on MCMC’s Tenders/Requests for Proposals page did not yield any result; there were no such projects since 2005.
To be fair, there is a set of guidelines all government bodies have to go through when applying for a tender. But there are rare instances where such tenders closed or restricted or even projects being given as direct awards. These are usually related to strategic or security-related matters.
Any glimpse of information appears in a 2008 edition of .MyConvergence, the magazine published by MCMC.
On page 56, there is a textbox on mobile theft and in it, there’s a reference to Nuemera submitting a proposal to the government to develop the dataset and implement the project.
Given that this is such a young company handling a massive project cast doubts on its capabilities. Its company profile available in the Companies Commission of Malaysia (CCM) database also does not paint a convincing picture.
For example, its latest audited accounts date 2010, meaning information is not up to date. But it is the cash flow of the company that is alarming: as at 2010, it was not making any profit, what more revenue.
It ate up more almost all of its share capital of RM1 million, with a loss of more than RM900,000.
Also, the CCM document classified the company as dormant. At this point in time, if Nuemera wanted to stay in business, it desperately required an injection of capital.
The next time Nuemera is mentioned in the news is six years later in 2013. MCMC, under the leadership of Shahril Tarmizi, issued a directive to telcos urging them to comply with the mobile theft prevention initiative.
However telcos were required to pay an annual fee of RM1.50 per active user to help keep the operations of the system running 24 hours a day. (MCMC has lowered the quantum this year to 50 sen per active user.)
The company tasked to keep this system online and running is, well, Nuemera. The system, known as the Public Cellular Blocking Service was implemented end of 2013, and users know this service through the website blockmyphone.my. The massive data breach happened somewhere in 2014.
According to publicly available documents, Nuemera is made up of four shareholders, of which three of them are directors. None of them have the technical expertise.
Mohd Noor Amin Khan is a practicing lawyer. In 1999, he was among the 20 lawyers hired by Umno to defend the party against allegations and defamatory statements.
However, his involvement in cybersecurity is by way of the International Multilateral Partnership Against Cyber Threats (IMPACT), of which he is its chairman.
Launched in 2009, this was private public partnership said to be the brainchild of the then prime minister Abdullah Badawi. Coincidentally, then MCMC chief Shahril also sat on the board of trustees.
Somewhere before IMPACT, Noor Amin acquired IT software company Ascendsys, a managed security services provider. He is still the chairman of that company, too.
Shariza Kamaruzzaman, his wife, also sits on the board and is group chief executive officer of Nuemera. She is the daughter of Kamaruzzan Shariff, the former mayor of Kuala Lumpur and a senior public official, who during his tenure had stints with the Economic Planning Unit and Defence Ministry, among others. She is also a lawyer.
Nur Jazman Mohamed is the son of former information minister, the late Mohamed Rahmat, and the brother of deputy home minister Nur Jazlan. Nur Jazman is the director of Rimakmur Sdn Bhd, the company that operates the radio station Suria FM.
Lastly, there’s Norliah Kunhibava, who is a shareholder but nothing much is known about her.
But never mind that. Somewhere in Nuemera’s timeline is that civil suit by the government for its inability to pay some RM988,000 in GST for the taxable period between April 1 and June 30, 2015.
Nuemera only settled RM98,835.13 in December 2015, leaving RM889,516.19 unpaid. The government said it tried various ways and means to get the company to cough up the cash, but these attempts proved futile.
This raises an even more important question: how can a company that has been offered such a lucrative contract unable to pay GST?
During this period, telcos had to cough up RM1.50 per user. Also, from the GST owed, the company earned close to RM17 million in revenue in between April and June, which means there was a lot of business going on.
So, on one hand, the company has a huge project that almost guarantees profits. On the other hand, the company cannot afford to pay GST.
Why are these two facts so contradictory?
Keep us ad-free and independent. The Other is the result of hundreds of hours each month. If you love what you read, visit our Patreon page and consider being a patron with a recurring monthly donation of your choosing. Or email us at firstname.lastname@example.org to explore other funding options.