Thursday 18 September 2014

Customer details of karaoke chain K Box leaked

Karaoke chain may face the music after customer data breach
Personal details of over 300,000 patrons exposed in alleged hacking
By Irene Tham, The Straits Times, 17 Sep 2014

THE personal data of over 300,000 customers of a popular karaoke bar chain here has been exposed, with the firm possibly facing sanctions for lax security.

The leak of K Box's membership database is being investigated by the privacy watchdog, the Personal Data Protection Commission, which said it is "concerned about the scale" of the alleged breach.

Organisations must take "reasonable measures" to protect personal data in their possession, said the commission, citing privacy laws which came into force on July 2. Police also confirmed that a report had been lodged and investigations are ongoing.

The leaked data included names, addresses and mobile-phone and identity card numbers, although some are outdated.

At least 15 customers confirmed with The Straits Times that their personal details had been exposed along with their K Box membership numbers and the loyalty points they had earned. The list included some local celebrities.

The perpetrators belong to a group which called itself "The Knowns". It sent an e-mail to media outlets, including The Straits Times, yesterday morning, saying that it was releasing the data to show its displeasure over recent increases in toll charges at the Woodlands Checkpoint.

It said the hikes were "an unnecessary financial burden on working Malaysians", and threatened to "attack and expose" the databases of more Singapore companies if nothing was done to reverse the charges.

From next month, driving to Malaysia via the Causeway will cost much more as Singapore has decided to match Malaysia's fee hike announced last month.

Charges will apply for vehicles entering Singapore via the Causeway as well, a fee which is not imposed today. A round trip for a car will amount to $6.50 - more than five times the current $1.20.

The charges for all other vehicles, except motorcycles, will also increase by about the same quantum.

When contacted, a representative of K Box, which runs 12 outlets here, said it is investigating if its computers had been hacked.

The 12-year-old firm was sold by its Singaporean owners to Japanese karaoke chain operator Koshidaka Holdings in February.

Security and privacy advocates said many organisations' lax attitude towards data privacy and security needs to be addressed.

Mr Chai Chin Loon, chief operating officer of locally based IT security specialist Assurity Trusted Solutions, said the database should be "encrypted with advanced authentication measures at the very least".

Engineer Ngiam Shih Tung, 47, said firms should not collect more personal data than they can handle.

"In this case, there is no reason for a karaoke bar to collect identity card numbers," he said.

K Box members feeling angry and insecure
By Pearl Lee, The Straits Times, 17 Sep 2014

A CYBER attack on karaoke bar chain K Box has left its members crooning the blues and crying for swift action, after their personal data, including their home addresses, surfaced online.

More than 300,000 people on K Box's membership scheme are affected by the leak.

One of them, university student Ms Lee, 20, said she is thinking of making a police report.

"All my private information is in the list. I keep thinking about the things people could do with the information obtained," she told The Straits Times.

"This shows a serious lapse in K Box's security system."

Another K Box member, 28-year-old Ms Kwek, said she counted four other friends who were on the list as well.

"I got the membership card during my secondary school days but it must have been more than five years since I last used it," she said.

Ms Kwek, who works in the finance industry, said she had considered making a police report but felt it was of little use.

"You can make a report but so what? The information is already out there right now."

The victims declined to be named in full, fearing further privacy breaches.

The list also contains the particulars of at least two local television celebrities, a check by The Straits Times showed.

A hacking group which calls itself The Knowns had leaked to various media outlets a list containing the names, addresses, e-mails, and phone and identity-card numbers of those holding a K Box membership card.

In an e-mail titled A Warning To Singapore Government, the group said it was releasing the information as it was unhappy that toll charges will soon be increased on this side of the Causeway.

"The selfish act increases the revenue of the Singapore Government at the expense of the common people," it said.

The Straits Times, Mediacorp, and socio-political site The Real Singapore were among those that received the e-mail. The Real Singapore reproduced a screengrab of the e-mail, which showed a link to the leaked information, on its website and its Facebook page.

Financial adviser Mr Tan, 26, said he was angry but "there is nothing I can do now".

"How can K Box compromise on its IT security? Customers' information is the most important," he said. "Even my home address has been leaked. I feel very insecure now."

None of them has been contacted by K Box.

Ms Lee added: "I think K Box should at least explain the incident to its customers."

Firms urged not to rely on just site password
By Irene Tham, The Straits Times, 18 Sep 2014

COMPANIES that rely on just a password to secure their websites are the most vulnerable to cyber attacks, security experts warned yesterday.

Also vulnerable are those that do not scan their computers regularly for security holes, they said, pointing out that this may have been how hackers had broken into and stolen the members' database of karaoke bar chain K Box.

K Box yesterday was scrambling to fix its website, leading to it being intermittently unavailable, following the massive data breach on Tuesday.

The hackers stole and posted on various websites the names, addresses and mobile phone and identity card numbers, among other things, of 300,000 customers.

Calling itself "The Knowns", the group said the cybercrime was in protest against the recent increases in toll charges at the Woodlands Checkpoint. It had threatened to "attack and expose" more Singapore companies.

New victims, the experts said, could be anyone, from restaurants to bowling alley operators, who for years has kept members' personal data on spreadsheets in unsecured computers.

"Typically, smaller companies are easier targets," said Mr Bryce Boland, chief technology officer of California-based IT security company FireEye in the AsiaPacific.

They tend to have smaller budgets for security software and less stringent IT policies, he said.

For instance, access to sensitive data on their websites may be protected by just a username and password, and any data submitted through the website is not secured by the latest encryption technologies.

Also, Mr Boland said, when computers have undetected security holes, malicious programs can be easily installed to steal databases.

Mr Oh Sieng Chye, a locally based malware researcher at security software maker ESET of Slovakia, said: "Malicious software could have been implanted into a computer by a staff member."

This is why Mr Joe Green, Asia-Pacific head of systems engineering at network security firm Palo Alto Networks, believes in strict IT policies that prohibit certain staff from accessing particular systems.

"It can also go a long way in keeping cyber security postures watertight," he said.

Companies also should collect only what data they need, said Mr Alvin Tan, regional director for IT security firm McAfee. "And this data should be protected by encryption and constantly monitored for authorised access."

K Box, which is possibly facing fines for lax data protection, said on Tuesday night that it was undertaking a full internal probe into the theft. The breach is also being investigated by privacy watchdog, the Personal Data Protection Commission.

Privacy laws came into force on July 2 and companies found in breach of the law face fines of up to $1 million.

Little known about The Knowns
By Aw Cheng Wei, The Straits Times, 18 Sep 2014

THE Knowns, who made headlines yesterday for stealing the personal data of more than 300,000 customers of a popular karaoke chain, said in a Twitter post that they claimed another victim, Bakerzin, in another security breach in June.

The group said it did so because it felt the local dessert chain had unfair employment practices.

But a check showed that the link, which supposedly leads to Bakerzin's customer database, did not work.

Bakerzin, which has about 15 outlets in Singapore and Indonesia, declined to comment.

The K Box breach was revealed through an e-mail, purportedly sent by the group to media outlets on Tuesday, which said it was releasing the data to show its displeasure over recent increases in toll charges at the Woodlands Checkpoint.

Little is known about this group, said security experts. "They might be newly formed," said Mr Alvin Tan, regional director at IT security firm McAfee.

It is also difficult to ascertain the group's identity since it has gone to great lengths to keep itself, well, unknown. For example, the e-mail blast to media outlets was through Tor, a service client that protects its users' privacy by transmitting information through random and multiple pathways. This prevents easy tracking.

"The intention of using Tor is to remain anonymous," said Mr Jimmy Sng, technology partner at PwC South East Asia Consulting. He added that with more online presence by companies, they have more responsibility to keep data secure.

M1 website flaw led to one unauthorised access, telco explains
By Irene Tham, The Straits Times, 17 Sep 2014

Telco M1 said a design flaw on its website that takes pre-orders for the new Apple iPhone 6 and 6 Plus resulted in one unauthorised access to customers' personal data.

The website was restored on Tuesday after 12 hours of suspension due to the flaw that allows a visitor to the website to access customers' personal information simply by changing data stored in a "cookie" on his browser.

"Our investigation to date has detected one case of unauthorised access to some personal information of 12 customers, such as their names and addresses," it added.

"Credit card and bank account details were not accessible. We sincerely apologise to our affected customers and are in the process of contacting them."

Customers were informed of the security loophole at 7.30pm on Monday via the telco's Facebook notice. Its website was suspended temporarily to protect customers' personal information, it said.

The Personal Data Protection Commission is investigating the M1 security loophole.

A customer alerted M1 to the potential security loophole via a post on M1's Facebook wall on Sunday at around 9pm. He was reportedly able to access information such as phone numbers, identity card numbers and home addresses from online pre-order forms.

The customer was the only one who accessed the data.

K Box leak a wake-up call for businesses
They can pay to secure data now or end up paying more later
By Irene Tham, The Straits Times, 20 Sep 2014

CONSUMERS often part with personal information to get members-only perks. But the parting can be painful - when personal data is leaked and made public, as in the case of over 300,000 members of karaoke bar chain K Box.

Their names, addresses and mobile phone and identity card numbers were posted on several websites on Tuesday, purportedly by hackers protesting against upcoming toll fee hikes at Woodlands Checkpoint.

It is not known if the leak was an inside job or the result of system hacking.

But the incident is a wake- up call: Businesses either pay now to secure the personal data collected, or they may end up paying a lot more later.

"There is a high price to pay for treating the protection of consumers' data lightly," said Consumers Association of Singapore executive director Seah Seng Choon.

Not only will there be a loss of reputation, but negligent businesses also face a fine of up to $1 million under a newly enforced law.

Even if hackers had stolen customers' personal data, companies must take "reasonable security measures".

The obligation is spelt out - though measures are not - in the Personal Data Protection Act, fully enforced on July 2.

Precise industry measures will take time, said lawyer Gilbert Leong, a partner at Rodyk & Davidson. "What is reasonable or expected of a bank would most likely not be reasonable or expected of a wine store, for instance."

So the industry will be watching as the Personal Data Protection Commission investigates the K Box leak, the biggest reported breach of personal data here.

Another case of a smaller scale being investigated by the commission involves the details of 12 customers of telco M1, which were exposed on Monday on an online form for pre-orders for the new iPhone.

The two cases might have happened under different circumstances, but it is worrying when personal data falls into the wrong hands.

What happened to technology blogger Alfred Siew, 40, could happen to anyone. On Tuesday, he got a call from someone using a private number claiming to be a loan shark.

"He read out my name and NRIC number... and threatened to harm my family unless I paid up. It was unnerving," said Mr Siew, unable to recall if he had ever misplaced his identity card.

Police could not help. He was told instead to file a magistrate's complaint, which may involve legal fees to prosecute the case.

Meanwhile, the K Box breach prompted some businesses to pull up their socks.

"Organisations are now more easily persuaded to take the law seriously," said media and technology lawyer Bryan Tan, a partner at Pinsent Masons MPillay.

But more can be done.

Businesses may want to take a leaf out of IT retail chain Challenger's book.

It keeps the names, identity card and phone numbers, as well as e-mail addresses of its more than 500,000 members in a server locked in a room, accessed by staff only via fingerprint scanning.

Cashiers can call up members' data when members redeem points, but cashiers need to scan their fingerprints on sale terminals.

Challenger chief operating officer Ben Tan said: "This is so that we have an audit trail if there is a leak."

No comments:

Post a Comment