Singapore Companies Hacked and Humiliated
Hacking is getting more and more into our sight. In 2012, one example was a Singapore sweet shop website hacked by Malaysians. last week, KBox was hacked into and more than 300,000 member details leaked. An infamous milestone in the Singapore context. In that week, an M1 online form was hacked and some personal accounts were also compromised. Last year, Messiah aka James Raj Arokiasamy stole Standard Chartered customers’ statement details besides hacking into the AMK Town Council website. Singapore Arts Museum personnel data was also stolen by others and published for all to gawk at and abuse last year. Hackers go for the easy hack, public and private bodies who don’t bother to keep their data confidential and protected from online attacks. The hacker plague is not limited to Singapore while it has become more and more common lately in the little red dot. This year, Home Depot, a huge US chain, was also hit and credit card details of members stolen.
Hackers are vandals and thieves regardless if they hit public or private organisations, regardless if they have some pretentious socio-political messages or upfront about their criminal intentions. Companies are not blameless if they allow themselves to be hacked especially if data leaked puts its customers at physical or financial risk. The thinking is that governments are the only ones who should keep our personnel information under lock and key. Not so, indeed as we give up our NRIC, address, email and contact numbers easily when we fill up forms for online shopping, various memberships etc, some standards of securing data should be held by companies.
K Box leak a wake-up call for businesses
The Straits Times
Monday, Sep 22, 2014
CONSUMERS often part with personal information to get members-only perks. But the parting can be painful – when personal data is leaked and made public, as in the case of over 300,000 members of karaoke bar chain K Box.
Their names, addresses and mobile phone and identity card numbers were posted on several websites on Tuesday, purportedly by hackers protesting against upcoming toll fee hikes at Woodlands Checkpoint.
It is not known if the leak was an inside job or the result of system hacking.
But the incident is a wake- up call: Businesses either pay now to secure the personal data collected, or they may end up paying a lot more later.
“There is a high price to pay for treating the protection of consumers’ data lightly,” said Consumers Association of Singapore executive director Seah Seng Choon.
Not only will there be a loss of reputation, but negligent businesses also face a fine of up to $1 million under a newly enforced law. Even if hackers had stolen customers’ personal data, companies must take “reasonable security measures”.
The obligation is spelt out – though measures are not – in the Personal Data Protection Act, fully enforced on July 2.
Precise industry measures will take time, said lawyer Gilbert Leong, a partner at Rodyk & Davidson.
“What is reasonable or expected of a bank would most likely not be reasonable or expected of a wine store, for instance.”
So the industry will be watching as the Personal Data Protection Commission investigates the K Box leak, the biggest reported breach of personal data here.
Another case of a smaller scale being investigated by the commission involves the details of 12 customers of telco M1, which were exposed on Monday on an online form for pre-orders for the new iPhone.
The two cases might have happened under different circumstances, but it is worrying when personal data falls into the wrong hands.
What happened to technology blogger Alfred Siew, 40, could happen to anyone. On Tuesday, he got a call from someone using a private number claiming to be a loan shark.
“He read out my name and NRIC number… and threatened to harm my family unless I paid up. It was unnerving,” said Mr Siew, unable to recall if he had ever misplaced his identity card.
Police could not help. He was told instead to file a magistrate’s complaint, which may involve legal fees to prosecute the case.
Meanwhile, the K Box breach prompted some businesses to pull up their socks.
“Organisations are now more easily persuaded to take the law seriously,” said media and technology lawyer Bryan Tan, a partner at Pinsent Masons MPillay.
But more can be done.
Businesses may want to take a leaf out of IT retail chain Challenger’s book.
It keeps the names, identity card and phone numbers, as well as e-mail addresses of its more than 500,000 members in a server locked in a room, accessed by staff only via fingerprint scanning.
Cashiers can call up members’ data when members redeem points, but cashiers need to scan their fingerprints on sale terminals.
Challenger chief operating officer Ben Tan said: “This is so that we have an audit trail if there is a leak.”