Cybersecurity expert Suresh Ramasamy said the leak involved the personal data of employees registered under Pikas.

He said, however, the matter was reported to CyberSecurity Malaysia and it had confirmed that the issue was resolved.

“A server under Miti’s domain was seen to expose a directory containing over a thousand files,” said Suresh on LinkedIn.

He said some of the organisation names listed in the files indicated a large number of staff, which gives rise to the conclusion that there were more than a million records left open for public access.

The personal data included the full names of the employees, their IC numbers, contact details and employee IDs.

As to why the leak occurred, Suresh believed that the storage directory was possibly intentionally left open.

FMT has reached out to Miti for comment.

This comes after reports last month of a dataset purportedly belonging to the national registration department (JPN) being sold online. Home minister Hamzah Zainudin denied the leak, stating that the dataset did not belong to JPN.

The dataset was said to contain information on about 22.5 million Malaysians born between 1940 and 2004, including their full names, IC numbers, addresses and photographs.

Bukit Aman commercial crime investigation department director Kamarudin Md Din confirmed that police were investigating the matter.