Hackers expose particulars of local karaoke chain's 317,000 members
First it was disbelief, then fear.
The teenage model and actress did not realise that her NRIC number, home address, mobile number and birthdate had been exposed until she was informed by The New Paper.
She was one of more than 317,000 members of local karaoke chain K Box whose personal details have been published online by a group of hackers calling themselves "The Knowns".
We are not naming the K Box members who spoke with TNP to protect their identities.
The young celebrity, who signed up for a K Box membership about three years ago, said that she had not got any strange phone calls yet.
"Sounds scary! Oh my gosh," she said over messaging application WhatsApp.
And when her home address was verified with her, she was horrified.
While no one has stalked her so far, she said she would be more careful in future.
"I'm definitely worried but I think that would only happen in the worse-case scenario. If it gets really serious, I'll consider changing my number," she said.
Celebrities were not the only ones concerned about their loss of privacy.
A 25-year-old manager, who was surprised to know that she was still a K Box member, was outraged to find all her details exposed.
She said: "I'm worried that details such as my NRIC and home address can be used for all sorts of purposes, such as by loan sharks."
She questioned the need to keep her particulars in the database, especially by a karaoke club.
"I think people give out their details too easily these days for the sake of membership. Do these places really need all our details such as IC numbers?"
Late last night, K Box finally responded to queries from TNP.
Chief operating officer Priscilla Ng said they are "taking this data theft as well as publication of stolen data very seriously" and that they have been able to remove the stolen data and links from at least three websites.
She said that those responsible for the "deplorable act" will be held wholly accountable to the fullest extent of the law and also asked for customers' "patience and understanding."
NRIC MUST BE PRIVATE
NRIC numbers should be confidential. Among other things, they are used as usernames under the current SingPass system for logging into 340 Government e-services.
In June, the Infocomm Development Authority (IDA) revealed that 400 SingPass accounts had their confidential passwords reset without authorisation.
In all, more than 1,500 SingPass accounts could have been tampered with, potentially threatening the security of citizens' data like Central Provident Fund accounts and income tax records.
The IDA also said the practice would be reviewed.
According to website The Real Singapore, an e-mail by the group "The Knowns" was sent to various parties at 4.15am yesterday.
They released the database to show their "displeasure" at the Singapore Government for raising the toll at the Causeway at Woodlands Checkpoint.
The Land Transport Authority announced on Friday that toll charges on this side of the Causeway will, from Oct 1, be raised to match the increase set by Malaysia.
The toll for cars leaving Singapore will be $3.80 (now $1.20). A new toll of $2.70 will also be imposed on all cars entering Singapore.
The hackers said in their e-mail:"The recent increase in toll at Woodlands is an unnecessary financial burden on working Malaysians.
"The selfish act increases the revenue of the Singapore Government at the expense of the common people."
The group also threatened to "attack and expose" the databases of more Singapore companies if "nothing is done to ease the burden".
A download link to a file containing the details in a spreadsheet was included at the end of the e-mail.
Local celebrities like Tay Ping Hui, Zoe Tay and Christopher Lee were revealed to be K Box VIP members, but their details were not in the database.
But the personal details of others, who are K Box "basic" or "student" members, have been published. The details include their membership numbers and loyalty points.
K Box members are entitled to lifetime membership, members' promotion and birthday treats.
A local blogger was outraged when she discovered the motives of the hackers.
"You cannot accuse the Government of being self-serving, then turn around and do an a****** move that implicates thousands of innocent people to serve your own purpose."
An MP, who signed up for K Box membership when she was a student, was also shocked and disappointed at the security breach.
She said: "I think K Box and in fact all companies, especially those who hold on to their customer's data, should step up in terms of cyber security."
"Do these places really need all our details such as IC numbers?"
- One K Box member
Hacking site is 'simple job'
"It's actually a simple hacking job if they really wanted to do it," said IT engineer Mohamed Saiful Mohamed Najaib.
Mr Saiful said that customers' data was probably retrieved from the K Box website's database.
He explained that dynamic sites, such as the one used by K Box, have a database stored in a back-end server.
In this case, the hacker probably accessed the administrative interface of the website which required a log-in and password.
"The hacker doesn't need much skills. He just had to keep trying until he got in," he said.
Mr David Siah, the country manager of security software firm Trend Micro Singapore, said that there could be other factors.
These include older applications created before related security policies were instituted. These may suddenly be exposed once web interfaces are added to them.
Another possibility: Security may have been overlooked in the software development life cycle.
Mr Siah said: "As web applications, websites and browser add-ons may have vulnerabilities, an attacker with the right motivation and tools can exploit to get access to information."
He recommends good web server security maintenance. Web applications should also be coded as securely as possible.
K Box could be fined $1 million
Karaoke chain K Box could be fined up to $1 million by the Personal Data Protection Commission (PDPC), said intellectual property and technology lawyer Han Wah Teng.
The PDPC is a Government statutory body established last year to administer and enforce the Personal Data Protection Act 2012 (PDPA).
A spokesman for the PDPC said: "Under the Personal Data Protection Act, organisations are required to make reasonable security arrangements to protect personal data in their possession or under their control in order to prevent unauthorised access, collection, use or similar risks.
"The PDPC is concerned about the scale of the alleged disclosure of individuals' personal data and has since reached out to K Box to investigate this matter."
K Box members whose details have been exposed can seek legal recourse against K Box. But Mr Han, who practises at Fortis Law, thinks that most people would choose not to.
"It's a family-friendly establishment. So there is no embarrassment involved with being a member.
"But in the case of celebrities, maybe they could be concerned with harassment, so the damages could be higher."
He feels K Box should be worried about the PDPC.
"While they did not deliberately disclose or abuse their customer's data, they have been negligent in protecting the information."
The police confirmed that a report has been lodged and they are looking into the matter.
Onus on us to protect details
That I have agreed to my editor's suggestion to write this reflects how violated I feel.
That I have decided to leave out my byline indicates how I fear this violation can extend to my family members.
I found my name - there are two entries - on the list of K Box's membership database that was exposed by a group with the moniker The Knowns.
My brother was the first to send me a screengrab of one entry in a Whatsapp message yesterday morning.
My immediate response was to check what personal details were included in the leak.
Of course, the two that concerned me most were my NRIC number and home address.
My reaction was to utter a string of expletives.
My next reaction was one of bewilderment: Why would a KTV chain - there are 12 outlets - need our personal details, including our NRIC numbers, phone numbers, residential addresses and marital status?
What has that got to do with the innocent intent to unwind and sing some songs?
For the record, I can count on one hand the number of times I have been to a K Box outlet.
The only reason I am a member is that K Box's former management used to co-host media conferences with record labels and film companies.
Perhaps, as others may argue, we could be overreacting to this data leak. How much damage can be done with an NRIC number, phone number or address?
Sure our addresses and landline numbers can be found in that thing called a telephone directory.
But having your IC number exposed is quite a different ball game. It could lead to a whole lot of trouble. (See main story.)
This incident exposes how careless we can be with the information that we share with businesses.
ONCE YOU SHARE...
No matter how IT-savvy we are (at least I'd like to think I am), and think we are able to protect our personal data on devices such as our mobile phones and computers, the reality is, the minute you share it with someone else, nothing remains confidential.
Since July, the collection, use and disclosure of personal data has come under the Personal Data Protection Act (PDPA).
Those found not complying face consequences under the Act.
But the PDPA does not seek to limit an organisation's business or ability to collect and use customers' information.
The onus is on us to exercise more discretion and caution in the kind of details that we share.
You do not want to wake up one morning, like I did yesterday, to news that your precious details have been leaked.
Thankfully, I do not have any nude photos worth leaking.