Two security incidents have occurred in Singapore overnight involving a local mobile operator and entertainment company, which not only put customer data at risk but also open up questions about the ability of enterprises to adequately protect their clients.
M1 on Monday night posted a statement on its Facebook page saying it had halted pre-orders for Apple's new iPhone 6, alluding to a security-related incident. "Dear customers, we have discovered a potential security breach. As a precaution to protect our customers' personal information, we will be temporarily suspending pre-orders while we urgently investigate this issue. We apologize for the inconvenience and thank you for your patience and understanding."
The mobile operator did not provide details, and remained mum about 12 hours later on Tuesday morning, when it posted another statement noting that it had resolved the security issue and resumed taking pre-orders for the smartphone. "The potential security breach has been rectified and we are now accepting pre-orders for the iPhone 6. M1 places the utmost priority in protecting our customer data and privacy and has implemented strict processes and procedures to safeguard customer information including regular security audits.
"We will be conducting a full review on this incident, and we sincerely apologize for the inconvenience caused," said the country's third and smallest mobile operator by subscriber number. It has 2.11 million mobile customers as of end-2013.
While M1 revealed no details about what it twice described as a "potential security breach", Channel NewsAsia reported that someone had sent the local broadcaster information about a security loophole he uncovered on Sunday night when he accessed the mobile operator's iPhone pre-order online form.
Using a cookie modifier plugin on Google's Chrome web browser, he said he was able to view forms containing personal data of other M1 customers, including phone numbers, home addresses, and identification card numbers. He then posted on M1's Facebook page to inform the operator about the security hole.
Adding that he was a Computer Science masters student, he noted that the loophole was "a very simple, silly error".
The discovery and M1's subsequent statements triggered angry responses from its customers, including a "Mr William" who said he had contacted Singapore's ICT regulator, Infocomm Development Authority (IDA), and asked that it took "immediate action against M1's security breach before it escalates". "This means that M1 customers' personal information including are at risk," he added.
Others called for "the IT guy" to be sacked, while one said "M1 CIO's head should roll". Another summed it up: "What a disaster, M1."
The Personal Data Protection Commission (PDPC) told Channel NewsAsia it was investigating the incident. "Under the Personal Data Protection Act, organizations are required to make reasonable security arrangements to protect personal data in their possession or under their control in order to prevent unauthorized access, collection, use or similar risks," the government agency said.
The PDOC is also investigating a second incident involving Karaoke entertainment company, K Box Singapore, which may have left the personal data of its more than 317,000 members exposed. A group, which called itself The Knowns, had reportedly sent an e-mail Tuesday morning to various media outlets with a list containing personal information of K Box members, including e-mail addresses, contact numbers, birth dates, as well as membership details such as the number of loyalty points earned.
The group said it leaked the information in response to the recent toll increase for visitors coming in from neighboring nation, Malaysia, though it did not say why K Box in particular was targeted. The karaoke operator is a subsidiary of Japanese company, Koshidaka Holdings.
Channel NewsAsia said it verified the details of several individuals on the list and quoted one to say: "I'm a bit freaked out. My main concern is that with those details, someone could sign me up for random stuff." Another said he had filed a police report and expressed concern that other personal data of his might have been leaked.
Companies still ill-prepared in security
And there is cause for worry, especially since M1's "potential security breach" sounds like it's possibly due to human error or inappropriate security policy, rather than the result of a malicious hacking attack.
There's also been a spate of breaches in Singapore this past year, several of which targeted government websites including that of the Prime Minister's Office and personal data of government employees, as well as affected 1,560 SingPass accounts used to access e-government services.
The latest two incidents suggest enterprises in the country are still ill-prepared--at best, complacent--about what's needed to protect themselves as well as their customers against cyberattacks.
I've always been paranoid about my privacy, but the conveniences of online shopping and banking, as well as assurances from service providers that they've got my security covered, I've let down some of my guard over the past decade. This, despite having once had a frightful conversation with a IT security expert who explained why he never--and still hasn't--taken to internet banking, preferring instead to visit an ATM or bank branch.
However, if security breaches--"potential" or otherwise--continue to surface, I'd be less inclined to offer personal data about myself even if it meant better customer service in return. And I may not be the only one to feel this way. As it is, 57 percent of online shoppers in Singapore said they were worried about their financial details falling into wrong hands, revealed a PayPal-commissioned survey conducted by GfK.
Singapore often touts itself as a conducive testbed for new and cutting-edge technology, offering a population that's highly IT-savvy, and well-connected through mobile and fiber. It has ambitions of becoming the world's "first smart nation" and wants to be Asia's intellectual property hub, but these remain at risk if security remains the missing link.
While the government recently unveiled plans to beef up its IT security monitoring capabilities and appoint chief information security officers, these would not be sufficient to combat rising cyberattacks if key service providers and businesses in Singapore aren't ready also.