I see you're very much concerned about liability and financial compensation here. I'm no lawyer so I don't know whether it could be a criminal offence to export prefixes like this either intentionally or by accident. However, we don't know what SLA agreements the financial institutions you speak of had with their providers. If said institution has paid for a 100% reachability guarantee then I would presume they are entitled to financial compensation. Everyone else, not so much.

I'm really not focusing on financial compensation here (I'm more interested in discouraging people from breaking the internet) , with the amount of people affected that's a topic you could write books on.

I am focusing on liability though, I very much believe Telecom Malaysia should face criminal charges for this (I do not know if they should be sentenced though, as I am not aware of all the facts. That's up for the court to figure out)

In most countries (I do not know if this applies to Malaysia too, but I believe it should) denial of service attacks are a criminal offence, I'd say exporting prefixes like this would constitute as one.

I agree that denial of service attacks are at best unlawful. However, an attack? I think not. For it to be an attack I would presume there must be some evidence of malice and intent. I have seen no such evidence of this.