Man hacked and sold SingPass data to China gang

A FORMER administrative assistant cracked the passwords of about 300 SingPass account holders and sold the details to a China-based syndicate involved in sham Singapore visa applications.

James Sim Guan Liang, 39, pleaded guilty to 73 charges yesterday and had another 813 taken into consideration. Most were committed under the Computer Misuse Act.

Between March and May 2011, Sim made tens of thousands of log-in attempts from his Toa Payoh home, after realising there was nothing to stop users from using NRIC numbers as SingPass passwords.

He keyed the SingPass log-in details into the e-services websites belonging to the Media Development Authority of Singapore or Central Provident Fund Board. To increase his chances of cracking the passwords, he changed the last one or two digits of the SingPass ID and its alphabet suffix.

Once successful, he used the credentials to log into a different government website to retrieve the account holder's personal particulars, such as his name and address. After compiling these details in batches, Sim would e-mail them to a person called "Lemon", for making a false statement to get a Singapore visa.

Details from 293 SingPass accounts were unlawfully disclosed by Sim, who received $300 for each batch he gave to Lemon.

Related: Man faces more than 800 computer misuse charges

The syndicate, based in Zhejiang, successfully applied for 23 visa applications. Twenty Chinese nationals entered Singapore using the visas.

Three were subsequently found to have committed criminal offences while in Singapore.

They have since been dealt with and repatriated. The status of the remaining nationals is not known.

Sim became involved with the syndicate in 2006, after meeting Lemon at a gathering with members from a now defunct social networking website.

Lemon told Sim he could make some money by handing his NRIC over for a day. Sim received $100 cash each time he did so on several occasions.

When his NRIC number was rejected and could no longer be used, Lemon asked Sim to provide the SingPass credentials of others.

Sim is due to be sentenced on Feb 26. The maximum penalty for disclosing a password to gain access to a programme or data held in any computer is a $10,000 fine and three years in jail on each charge.

Get MyPaper for more stories.