Companies that rely on just a password to secure their websites are the most vulnerable to cyber attacks, security experts warned yesterday.
Also vulnerable are those that do not scan their computers regularly for security holes, they said, pointing out that this may have been how hackers had broken into and stolen the members' database of karaoke bar chain K Box.
K Box yesterday was scrambling to fix its website, leading to it being intermittently unavailable, following the massive data breach on Tuesday.
The hackers stole and posted on various websites the names, addresses and mobile phone and identity card numbers, among other things, of 300,000 customers.
Calling itself "The Knowns", the group said the cybercrime was in protest against the recent increases in toll charges at the Woodlands Checkpoint. It had threatened to "attack and expose" more Singapore companies.
New victims, the experts said, could be anyone, from restaurants to bowling alley operators, who for years has kept members' personal data on spreadsheets in unsecured computers.
"Typically, smaller companies are easier targets," said Mr Bryce Boland, chief technology officer of California-based IT security company FireEye in the AsiaPacific.
They tend to have smaller budgets for security software and less stringent IT policies, he said.
For instance, access to sensitive data on their websites may be protected by just a username and password, and any data submitted through the website is not secured by the latest encryption technologies.
Also, Mr Boland said, when computers have undetected security holes, malicious programs can be easily installed to steal databases.
Mr Oh Sieng Chye, a locally based malware researcher at security software maker ESET of Slovakia, said: "Malicious software could have been implanted into a computer by a staff member."
This is why Mr Joe Green, Asia-Pacific head of systems engineering at network security firm Palo Alto Networks, believes in strict IT policies that prohibit certain staff from accessing particular systems.
"It can also go a long way in keeping cyber security postures watertight," he said.
Companies also should collect only what data they need, said Mr Alvin Tan, regional director for IT security firm McAfee. "And this data should be protected by encryption and constantly monitored for authorised access."
K Box, which is possibly facing fines for lax data protection, said on Tuesday night that it was undertaking a full internal probe into the theft. The breach is also being investigated by privacy watchdog, the Personal Data Protection Commission.
Privacy laws came into force on July 2 and companies found in breach of the law face fines of up to $1 million.
LITTLE KNOWN ABOUT THE KNOWNS
THE Knowns, who made headlines yesterday for stealing the personal data of more than 300,000 customers of a popular karaoke chain, said in a Twitter post that they claimed another victim, Bakerzin, in another security breach in June.
The group said it did so because it felt the local dessert chain had unfair employment practices.
But a check showed that the link, which supposedly leads to Bakerzin's customer database, did not work.
Bakerzin, which has about 15 outlets in Singapore and Indonesia, declined to comment.
The K Box breach was revealed through an e-mail, purportedly sent by the group to media outlets on Tuesday, which said it was releasing the data to show its displeasure over recent increases in toll charges at the Woodlands Checkpoint.
Little is known about this group, said security experts. "They might be newly formed," said Mr Alvin Tan, regional director at IT security firm McAfee.
It is also difficult to ascertain the group's identity since it has gone to great lengths to keep itself, well, unknown. For example, the e-mail blast to media outlets was through Tor, a service client that protects its users' privacy by transmitting information through random and multiple pathways. This prevents easy tracking.
"The intention of using Tor is to remain anonymous," said Mr Jimmy Sng, technology partner at PwC South East Asia Consulting. He added that with more online presence by companies, they have more responsibility to keep data secure.
This article was first published on September 18, 2014.
Get a copy of The Straits Times or go to straitstimes.com for more stories.