A team leader working at a call centre in Malaysia was sentenced to 12 weeks’ jail for helping an ex-colleague obtain personal details from more than 1,000 business accounts belonging to licensed moneylenders.
These accounts are owned by Singtel customers.
The details, which includes bills, company names as well as landline numbers, was then used by data sellers to proceed with their loan sharking activities.
32-year-old Syrian national Mohammad Maher Muhaffel, who handles technical support for Singtel customers, pleaded guilty to four charges under the Computer Misuse Act. Another 12 charges were considered before passing the sentence.
According to court documents, Maher first started working at Sudong, a subsidiary of Singtel at Klang Call Centre in Selangor in 2013 as a customer care officer.
Two years later, he became a team leader with 16 customer care officers working under him. He was also given access to the company’s IT systems, which include a bill archive system that stores bill details of Singtel customers.
His co-accused, 32-year-old Pakistani national Adnan Ahmed Siddiqui, also worked in the same company until around July 2018 when he left.
Somewhere around December 2017, Adnan revealed to Maher that he had been extracting customers’ bills before forwarding them to a third party and asked Maher to continue this practice.
Agreeing to this, Maher then stayed in contact with Adnan even after the latter left the company.
It was stated that Adnan would provide Maher with company names, Singtel account numbers and landline numbers via Facebook, WhatsApp or email, and Maher will then obtain the corresponding customer bills for Adnan.
Adnan would later send the details to the third party, and in exchange will receive payment ranging from RM1,000 (S$326) to RM1,200 per month through Western Union.
From December 2017 to July 2019, Maher did 1,130 unauthorised screenings of business accounts that belong to licensed moneylenders and pawn shops, although his job role does not require him to look for such details.
In November 2018, the police discovered that a group of data sellers had been selling call details — which include landlines and mobile phone lines — of licensed moneylenders to unlicensed ones.
Investigations revealed that the call details were from Singtel and were sent to data sellers to conduct loan shark business. Both Maher and Adnan were identified as suspects.
Subsequently, the Malaysian police apprehended Maher in July 2019 and he was handed over to the Singapore police after an arrest warrant was issued against him.
The prosecution requested a minimum of 14 weeks’ jail term, highlighting the transnational element of the case, given that the information was sold from Malaysia to Singapore, as well as the abuse of trust and the extended period of crime being committed.
Deputy Public Prosecutor Kathy Chu said that there was also an intrusion of Singtel customers’ privacy and potential damage to the telco’s reputation.
She also mentioned that accessing 1,130 customers’ bills was “staggering”.
However, defence lawyer Cory Wong of Invictus Law countered and asked for the maximum fine of S$20,000, saying that Maher did not personally benefit from the offences and was merely helping his friend.
Mr Wong pointed out that his client was not aware of what Adnan and the third party were doing with the information.
He added that Maher has been “languishing in Singapore” with no work for 19.5 months and would like to resume his duties of caring for his elderly parents and cancer-stricken brother.
For each count of unauthorised access to a computer, Maher could have been sentenced to imprisonment up to two years, fined up to S$5,000, or both.
In August last year, Adnan was given sent to jail for two months and 14 weeks.
This is not the first time Singtel was embroiled in a data leak involving its customers’ details.
Just last month (17 February), personally identifiable information from 129,000 individual accounts and 23 enterprises was affected by a data privacy breach involving the telecommunications conglomerate.
The data taken includes consumer information containing varying combinations of personally identifiable information, said the company.
The enterprises include suppliers, partners and corporate customers.
Singtel said that a “large part” of the leaked data comprises the company’s internal information that is classified as non-sensitive such as data logs, test data, reports and emails.
Singtel said on 17 Feb that it has completed initial investigations into the said breach, which took place in a third-party file-sharing system, adding that it has begun reaching out to affected stakeholders.