K Box Data Breach on September 16, 2014
It was four years ago from 2018 when this incident happened. Hackers hacked and posted the personal data of over 300,000 customers of K Box Singapore online, a karaoke chain. A group, self-proclaimed as “The Knowns” accepted themselves being behind this and the reason it did so was to show its displeasure over the increases in toll charges at the Woodlands Checkpoint taking place at that time. The K Box data breach contained the personal details of the K Box Customers such as the phone numbers, email addresses, dates of birth, NRIC numbers, and even their marital status. Due to what happened, the K- Box entertainment group was fined about s$50,000 for failing to have K Box Cyberattack happen.
The Cause of the Outbursts of the Hackers
The cause of the outbursts of the hackers at that time was The Singapore government decided to raise the toll of the vehicles leaving and entering the country to match the toll of Malaysia, which also was hiked recently. During that time, the Woodlands toll for cars leaving the place was $1.20, set to increase to $3.80, while, initially for the cars entering Singapore, there was no price payable which was about to be made $2.70. At the current time, the fee for a car leaving Singapore is S$1. According to the hackers, the toll increase was unnecessary; it was only set to be an undue burden to the working Malaysians.
It is pretty evident that the hackers wanted attention from the Government, so they decided to attack the vulnerability of a relatably bigger site, and they also issued a warning of “exposing” more Singapore companies if their thoughts were not heard.
Protection Obligation Under Section 24 of the PDPA
The K box cyberattack wasn’t only about K box failing to protect the data of its customers, but It also made evident how many businesses in Singapore still take the privacy of their customers lightly. According to the Protection Obligation under section 24 of the PDPA, which was passed out in 2012, a business should have all the required security measures in place to protect customers’ data in its Content Management System (CMS). Of course, K box failed this, and the administrative account had the username and password of what you have in the customization section of a new WiFi router: admin and admin. And on top of that, the K box didn’t have a Data Protection Officer (DPO), which straight breaches the Openness Obligation under section 11(3) of the PDPA. According to it, a business organization should designate one or more individuals in the position. Also, according to the Openness Obligation under section 12(a), an organization must have the policies and measures through which it can meet its PDPA obligations, which again was unsatisfactory in the case of K Box.
Well, even if it the K Box Cyberattack was an unpleasant thing to happen, this event came in as a lesson for many. So, if you have a similar business, then you already know what you should be doing to value the privacy of your customers highly. And for this, you could also seek legal advice if necessary.