Skip to main content

Advertisement

Advertisement

Man faces 868 charges for illegally accessing SingPass network

SINGAPORE — The SingPass accounts of nearly 300 users were allegedly cracked by a man in four months, because these users had used their NRIC numbers — also the login ID — for their passwords.

The CPF Building along Robinson Road. TODAY file photo

The CPF Building along Robinson Road. TODAY file photo

Follow TODAY on WhatsApp

SINGAPORE — The SingPass accounts of nearly 300 users were allegedly cracked by a man in four months, because these users had used their NRIC numbers — also the login ID — for their passwords.

Today (May 22), James Sim Guan Liang, 39, was charged for illegally using 293 SingPass accounts to access the Central Provident Fund (CPF) Board and Media Development Authority (MDA) websites. In addition, he is accused of sending the login information to another person.

In total, Sim faces 868 charges under the Computer Misuse Act. His alleged offences were committed between January and May 2011, three years before the incident in June last year where 1,560 SingPass accounts were breached, with about one-quarter of them having their passwords illegally reset.

In response to TODAY’s queries, the Attorney-General’s Chambers (AGC) said this was not a case of the SingPass infrastructure being hacked into.

“The accused guessed the password of the accounts in question. This was possible because all the accounts used passwords based on the NRIC of the account holder,” said a spokesperson. “There was therefore no sophisticated ‘hacking’ or the use of any tools to crack or compromise the SingPass servers.”

The majority of Sim’s charges (575) were for illegal access to the users’ CPF Member’s Homepage and/or the MDA’s Online Services and Application Migration server. The remaining 293 charges are for emailing the SingPass details to a person going by the name of “Lemon”, who is said to have used the information to make false statements to get a Singapore visa.

“Lemon’s” identity has not been made known.

Asked if Sim had sold the SingPass details to Lemon, the AGC spokesperson said no further information could be provided now as the case is ongoing.

The Infocomm Development Authority of Singapore (IDA) also declined to comment on TODAY’s queries on whether the cracked account-holders suffered any losses. SingPass is used for more than 340 online transactions with government agencies, including accessing CPF accounts, filing income taxes and checking medical records.

The IDA added that round-the-clock monitoring is conducted for the SingPass system to detect unusual activities.

“Vulnerability scans and audits are conducted regularly to better protect users’ account and personal information. Enhancements are also made to the system regularly including requirements for strong passwords,” a spokesperson said.

But account-holders must also do their part to keep their personal information safe, such as having passwords that are not too easy to guess, and not sharing their personal data or SingPass account information with anyone.

Two-factor authentification (2FA) for SingPass via SMS One Time Password or hardware token — announced in the aftermath of the incident in June last year — will be implemented from July this year, added IDA.

Sim, who is out on bail, will return to court on June 26. The prosecution said it was still finalising the charges against him.

Unauthorised disclosure of the access codes carries a maximum jail sentence of up to five years and/or fine up to S$20,000. For the offence of unauthorised access into the servers, the maximum penalty is three years’ jail and/or a fine up to S$10,000.

Read more of the latest in

Advertisement

Advertisement

Stay in the know. Anytime. Anywhere.

Subscribe to get daily news updates, insights and must reads delivered straight to your inbox.

By clicking subscribe, I agree for my personal data to be used to send me TODAY newsletters, promotional offers and for research and analysis.