Maldives data crisis: citizens' personal information sold for US$ 9,700
Scams exploiting stolen data cost US$ 90,000 in one month.
Artwork: Dosain
08 Jun, 1:07 PM
Mohamed Saif Fathih
In January 2024, during my campaign for Malé City Mayor, I was approached for an interview by an anonymous YouTuber known as Fishie – a helmeted, mask-wearing digital crusader with a passion for Minecraft and cybersecurity. Though scheduling conflicts kept me off his channel, his message remained impossible to ignore: a systemic and troubling trend in the Maldives of widespread failure to safeguard citizens' digital data.
The issue came sharply into focus earlier this month. Fishie’s posts on X (formerly Twitter) laid out serious allegations of gross negligence by both government agencies and private sector service providers. Lacking IT expertise myself, I turned to trusted friends, colleagues, and cybersecurity professionals – including the developer of the Maldives Independent website – to independently verify these claims.
What we found is deeply alarming.
Glaring Vulnerabilities
As institutions across the Maldives race to modernise with digital services and mobile apps, many are doing so without the most basic protections in place.
Among those recently implicated are the Maldives Customs Services, MediaNet, and Avas Food. Each of them, in separate and serious ways, exposed sensitive customer data due to shockingly poor cybersecurity practices.
All of the following vulnerabilities have been independently verified.
MediaNet, the country’s largest cable TV provider, allowed anyone to input a phone number on its payment portal and instantly access the subscriber's address. I tested this myself – entering my own mobile number revealed my current address without any authentication.
When contacted, MediaNet’s Digital Marketing Executive Aiman said: “The matter has been addressed on 2 June 2025; current addresses are no longer visible.”
Avas Food, a widely used food delivery app, operates without HTTPS encryption – a basic necessity for securing web traffic. Worse still, the app lacks proper authentication. A user can input a phone number and receive a user ID that grants access to names, order history, current address, geo-location, and more.
When the Maldives Independent reached out, Avas Food’s Marketing Manager Shuhail Ikram initially denied any known issues, despite social media posts and a YouTube video made specifically to criticise the flaws on the company’s app.
The IT equivalent of a bandaid was put on the problem on June 6, after I reached out.
The Maldives Customs Services launched a job application portal that allows attackers to misuse its OTP system. The portal accepts any ID number and phone number combination, failing to verify if they belong to the same person. As a result, one can obtain another person’s full name, ID card details, birth date, and permanent address – simply by submitting the wrong combination.
Customs Media Officer Aminath Liusha said the “flaw has been fixed” and assured that “in the future the Service will exercise utmost vigilance”.
But Fishie was unconvinced. “These kinds of oversight is not just irresponsible – it’s reckless,” he said.
Unfortunately, this isn’t new. In July 2023, Fishie discovered that Malé’s electricity provider, STELCO, had left its Git repositories accessible.
This oversight provided a golden opportunity for attackers to identify and exploit the weaknesses in its API (Application Programming Interface: a set of rules and protocols that allow different software applications to communicate and exchange data).
Similarly, in August 2023, the Maldives Pension Administration Office had an authorisation bug at the endpoint. It potentially exposed private employment and salary information.
Authorisation is the process of determining what permissions an authenticated user or system is afforded. It specifies what resources users have access to and what actions they can perform, determining the appropriate parameters of data access and usage.
Although the issue has been patched, an intermediary who met Mohamed Shareef, then-Chief Information Officer at the National Centre for Information Technology (NCIT), on behalf of Fishie was discouraged from going public with the news of the vulnerability.
When the Maldives Independent inquired from Mohamed Shareef about the data breaches of 2023 and whether any measures had been taken to address them, he stated: “I don’t wish to comment on individual cases.”
Meanwhile, Dr Mohamed Kinaanath, the current head of NCIT, said he was unaware of any security lapses in the Avas Food app, MediaNet website, or the Customs job portal.
“If we receive any complaints, we will definitely look into it; we have received none regarding those parties so far,” he said. I proceeded to explain the security flaws of each platform, hoping that this counts as a complaint which will trigger an investigation.
Data breaches feeding into real-world crime
Scammers use social engineering attacks or manipulative techniques to trick individuals into revealing confidential information. Armed with leaked personal data, attackers can craft messages or phone calls that appear eerily legitimate, persuading victims to disclose passwords, make financial transfers, or grant access to secure systems.
In the past month alone, scams exploiting stolen personal information have cost Maldivians over MVR 1.4 million (US$ 90,571). Police have only been able to retrieve MVR 530,752. Between 2021 and September 2024, over 28,000 scam incidents – involving over MVR 57.8 million and US$ 6.4 million – were reported to the the Maldives police.
The danger isn’t limited to tech platforms. Following the disputed 2013 presidential elections, the Supreme Court ordered the Elections Commission to publish a full voter list, including names, ID numbers, addresses, and even photos. This practice continued into the 2014 Local Council Elections.
Since then, the Department of National Registration’s entire database has been leaked multiple times online. Alarmingly, during my 2024 mayoral campaign, intermediaries offered to sell me a copy of Malé’s DNR database – complete with mobile numbers – for MVR 150,000.
Concerns escalated again in January 2025 when leaked photos showed Homeland Security Minister Ali Ihusan and senior DNR officials allegedly filling out membership forms for the ruling People’s National Congress, using data potentially sourced from the DNR. Though the government denied any misuse of personal information, the scandal sparked a no-confidence motion. Ihusan survived the late-February 2025 parliamentary vote, but public trust has yet to recover.
Digital wild west
A cyber security bill and a data protection bill had been drafted under the previous administration, former NCIT chief Shareef noted. Two public consultations had been held, and both bills were awaiting submission to parliament for debate and approval.
“Without a legal framework prescribing mandatory cybersecurity standards, independent audits and compliance certification, and penalties for breaches and mishandling of personal information, authorities are unable to effectively combat the problem,” Shareef explained.
“I am proud to have contributed to establishing the legal framework for cyber security and data protection, while also paving the way for the establishment of the National Cyber Security Agency [NCSA],” he added.
NCSA was established under a presidential directive by President Dr Mohamed Muizzu on March 18, 2024.
Until legislation is in place, Maldives will remain the digital wild west.
As Fishie aptly put it: “Anyone can roll out an online portal, request sensitive personal information, and operate without security protocols, without accountability.”
By Saif Fathih
Saif Fathih is a columnist at the Maldives Independent and a serving member of the Malé City Council for Galolhu North. With his educational background in Communication, International Studies and Public Policy, he previously worked as a journalist, editor and public policy advisor, with roles including Senior Policy Director at the Ministry of National Planning and editor of Ocean Weekly Magazine. Saif began his career as a radio producer and presenter at Minivan Radio, writer for Minivan Daily, and translator for the British High Commission and the European Union Mission to Sri Lanka and the Maldives. He is also the host of Ithuru Vaahaka, the Maldives Independent podcast.
Explore more