Hackers leak data of over 300,000 K Box members

Hackers leak data of over 300,000 K Box members
More than 317,000 K Box customers’ personal details were put up for public download by hackers. Photo: K Box Karaoke, Singapore Facebook page
Published: 4:03 AM, September 17, 2014

SINGAPORE — The police have launched investigations after the personal details of hundreds of thousands of karaoke company K Box’s customers were yesterday put up for public download by hackers who breached the company’s membership database.

The list containing details such as the mobile numbers, identification card numbers and addresses of more than 317,000 K Box members was leaked as a protest against the Government’s announcement last week that it would match Malaysia’s toll hikes at the Causeway starting Oct 1, said the hackers, who call themselves The Knowns. They also threatened to steal information from the databases of other Singapore companies, if their demands against the Government are not met.

The Personal Data Protection Committee said it has contacted K Box to investigate the matter.

In an email sent at 4.17am yesterday to various parties, including MediaCorp, the hackers criticised the Government’s decision to raise toll charges, causing “an unnecessary financial burden on working Malaysians”. “If nothing is done to ease the burden then no Singaporean will be safe, we will continue to release more databases of Singapore companies. We had (sic) done it before and will do it again,” they wrote.

Last week, it was announced that toll increases for all vehicles except motorcycles leaving Singapore through the Causeway and new charges for entries into Singapore will kick in next month. These replicate Malaysia’s moves, which the Government has reiterated was a long-standing policy on Causeway tolls.

Yesterday, all 10 individuals listed in the leaked list randomly picked and contacted by TODAY confirmed that their details were accurate and expressed concern about the incident.

Ms Delia Kong wondered if K Box’s security measures were tight enough. “This is very scary. As such a big organisation, K Box should have taken appropriate measures to prevent this. Perhaps the next course of action is to stop those websites so our details will not be leaked further,” said the 32-year-old banker.

Another member, Mr Desmond Zeng, said he would have expected K Box to “take the responsibility” of informing members about the leakage. He said the incident would affect his data-sharing habits in the future. “The information I share affects my family members too. I will give more thought to how much I give out from now.”

In a letter posted on its Facebook page last night, K Box said it had managed to remove the stolen data and links from at least three websites. “We are conducting a full internal investigation, and have provided the PDPC and Singapore Police Force with our fullest cooperation,” said K Box chief operating officer Priscilla Ng in the letter.

The hacking comes on the heels of several cases of private data being exposed. In June, more than 1,500 SingPass accounts were compromised, resulting in sensitive information such as users’ addresses and monthly incomes being leaked.

In November last year, personal data of about 4,000 individuals stored on the Singapore Art Museum’s website was exposed on an overseas website.

Under the Personal Data Protection Act, organisations are required to make reasonable security arrangements to protect personal data in their possession or under their control in order to prevent unauthorised access, collection, use or similar risks. Those found in breach of the Act may be told to stop collecting, using or disclosing data, to destroy data collected in contravention of the act, and/or fined up to S$1 million.