SINGAPORE - A former administrative assistant cracked the passwords of about 300 SingPass account holders and then sold the details to a China-based syndicate involved in sham Singapore visa applications.
On Monday, James Sim Guan Liang, 39, pleaded guilty to 73 charges, with another 813 taken into consideration. Most of his offences were committed under the Computer Misuse Act.
Sim, an administrative assistant then, would enter SingPass login details in running sequence into the e-services portal belonging to the Media Development Authority or Central Provident Fund Board.
From his home in Toa Payoh, he made tens of thousands of attempts between March and May 2011, after realising that there would be nothing to stop a user from using his NRIC number as his SingPass password.
He experimented by making changes to the last one or two digits of the SingPass ID and its alphabet suffix, before copying it into the password cell on the website.
Every time he succeeded, he would log into a different government website with the details to retrieve the account holder's personal particulars, such as name and address, for use in the visa application process.
In total, 293 unique SingPass account details were unlawfully disclosed by Sim to a person with the pseudonym "Lemon" for the purpose of helping "Lemon" and other unknown persons to make a false statement to get a Singapore visa.
A total of 23 visa applications were successful and 20 PRC nationals were able to enter Singapore using these visas.
Three of them were subsequently found to have committed criminal offences while in Singapore, and were dealt with and repatriated.
Sim was first involved in the syndicated identity trafficking in 2006, when he met up with some members of now defunct social networking website, WhoLivesNearYou.com.
During the meeting, he got to know "Lemon", a PRC national, who told Sim that he could make some money by handing his NRIC over to "Lemon" for a day.
Sim continued to do so on several occasions despite knowing that his credentials were used to apply for sham Singapore visas. He received $100 cash each time.
When Sim's NRIC number was rejected and could no longer be used, "Lemon" asked Sim to provide the SingPass credentials of others.
After compiling the SingPass credentials and personal details in batches, Sim would e-mail them to "Lemon", who would pay him $300 for each batch.
His case will be mentioned in court on Feb 26.
The maximum penalty for disclosing a password to gain access to a programme or data held in any computer is a $10,000 fine and three years in jail on each charge.
For unauthorised access, Sim could be fined up to $5,000, jailed for up to two years, or both.
This article was first published on Jan 25, 2016.
Get a copy of The Straits Times or go to straitstimes.com for more stories.