Karaoke chain may face the music after customer data breach

THE personal data of over 300,000 customers of a popular karaoke bar chain here has been exposed, with the firm possibly facing sanctions for lax security.

The leak of K Box's membership database is being investigated by the privacy watchdog, the Personal Data Protection Commission, which said it is "concerned about the scale" of the alleged breach.

Organisations must take "reasonable measures" to protect personal data in their possession, said the commission, citing privacy laws which came into force on July 2. Police also confirmed that a report had been lodged and investigations are ongoing.

The leaked data included names, addresses and mobilephone and identity card numbers, although some are outdated.

At least 15 customers confirmed with The Straits Times that their personal details had been exposed along with their K Box membership numbers and the loyalty points they had earned. The list included some local celebrities.

The perpetrators belong to a group which called itself "The Knowns". It sent an e-mail to media outlets, including The Straits Times, yesterday morning, saying that it was releasing the data to show its displeasure over recent increases in toll charges at the Woodlands Checkpoint.

It said the hikes were "an unnecessary financial burden on working Malaysians", and threatened to "attack and expose" the databases of more Singapore companies if nothing was done to reverse the charges.

From next month, driving to Malaysia via the Causeway will cost much more as Singapore has decided to match Malaysia's fee hike announced last month.

Charges will apply for vehicles entering Singapore via the Causeway as well, a fee which is not imposed today. A round trip for a car will amount to $6.50 - more than five times the current $1.20.

The charges for all other vehicles, except motorcycles, will also increase by about the same quantum. When contacted, a representative of K Box, which runs 12 outlets here, said it is investigating if its computers had been hacked.

The 12-year-old firm was sold by its Singaporean owners to Japanese karaoke chain operator Koshidaka Holdings in February.

Security and privacy advocates said many organisations' lax attitude towards data privacy and security needs to be addressed.

Mr Chai Chin Loon, chief operating officer of locally based IT security specialist Assurity Trusted Solutions, said the database should be "encrypted with advanced authentication measures at the very least".

Engineer Ngiam Shih Tung, 47, said firms should not collect more personal data than they can handle.

"In this case, there is no reason for a karaoke bar to collect identity card numbers," he said.


Get a copy of The Straits Times or go to straitstimes.com for more stories.