(Photo: File, GSM News )
Malé City, Maldives, 14 June 2025 –, GSM News:
A Maldivian whistleblower, “WhoIsFishie (fISHIE)” has come forward with claims of ongoing and widespread data leaks affecting both government and private sector apps in the Maldives. The whistleblower, a local programmer who asked to remain anonymous, has been tracking data breaches since 2023.
The individual first became aware of a leak known as Fikuruge Dhirun, which exposed National ID (NID) information for individuals born before 2003. The leak was first discussed in MV Devs, a Telegram group for local developers.
After that, the whistleblower began investigating other platforms and discovered that many Maldivian apps had serious flaws in data protection. Early reports were made to companies like Purplelane and Foodies, but the whistleblower said their first major case involved the RTL app, which was reported through a friend’s company.
Later, the whistleblower found issues in the Avas Food platform. According to the source, Avas Food leaked sensitive data, including user geolocation. The company has denied any breach, but several other developers have independently confirmed the same vulnerabilities. “It’s not that hard for a developer to find it,” the whistleblower said.
The leaks differ in severity depending on the platform. Leaks involving NID details and phone numbers make it easier for scammers to conduct social engineering attacks. The RTL app reportedly displayed parts of card numbers, which could allow scammers to impersonate banks.
The whistleblower also pointed to the case of the Maldives Pension Administration Office, where the response to a reported vulnerability escalated to threats. A middleman who helped report the vulnerability was accused of hacking. When the whistleblower planned to release a video about the breach, officials warned that going public would bring consequences for the middleman.
Following that incident, the whistleblower stopped making awareness videos, though one final video was released about Avas Food. Promises made by pension officials for a paid audit were eventually ignored. “They kept delaying and then stopped responding,” the whistleblower said.
The source said government systems are particularly dangerous when compromised. “There are real consequences. Data like location can be misused for tracking people. Some of these leaks are likely being used in scams and revenge porn.”
In one personal case, the whistleblower said their own identity was stolen and registered under a political party without consent. This was only discovered years later during an election check. “There is a political aspect to this too. Data is valuable.”
Leaks reportedly affect both public and private sectors. Although not all breaches have been verified directly by the whistleblower, they mentioned hearing of a possible incident involving Housing Development Corporation (HDC) as well.
A tool was created by the whistleblower to help Maldivians check whether their data has been compromised. It is available at:
https://whoisfishie.github.io/haveibeenpwnedmv
“There’s no transparency,” the source said. “It’s hard to know how long a breach has been active or how many people have been affected. But the danger is real, and we’re not prepared.”
Editor’s Note: The original version of this article contained an error stating dates of data leak. This has been corrected in the current version.
