Former tech support employee in Malaysia call centre jailed over sale of Singtel customer details
SINGAPORE: A technical support employee for a Malaysian subsidiary of Singtel retrieved unauthorised billing information belonging to Singtel customers and sold them, with the details later winding up in the hands of loan sharks.
For his list of computer crimes between July 2017 and July 2019, Adnan Ahmed Siddiqui, 31, was jailed on Wednesday (Aug 26) for two months and 14 weeks.
The court heard that Adnan worked for Sudong Sdn Bhd, a subsidiary of Singtel located at Klang Call Centre in Selangor, Malaysia. The call centre provided technical support for Singtel customers.
Adnan joined the company as a customer care officer in February 2014 and rose to become a team leader a year later, supervising 12 customer care officers.
Part of his job was to look into billing disputes. To do this, he used a Singtel system that gave him access to billing details of Singtel customers for the past seven years, including their personal particulars, the products and services they had bought and billing history.
Adnan could also access the call logs of business account holders by keying in their billing account numbers into the system, said Deputy Public Prosecutor Selene Yap.
In 2017, Adnan's colleague, named only as Amy, told him that there was "an easy way to make money" and instructed him to send an email to an address and tell the recipient that he worked for Singtel.
When Adnan did so, the person on the other end replied and asked several questions, before telling Adnan that he would be paid if he provided copies of bills for specific account numbers.
Adnan agreed and began receiving about seven emails monthly to check on five to eight account numbers. In return, he received RM1,000 (S$240) to RM1,200 each month.
Over four months from July 2017, Adnan made almost 400 unauthorised screenings of bill records containing the call logs of Singtel customers. Some of the accounts targeted were licensed moneylending and pawn shop businesses, with Adnan making such screenings daily.
TRANSFERRED DEPARTMENT, ROPED COLLEAGUE IN
Adnan was later transferred to the Mobile Helpdesk Department within the same company. His colleague and co-accused, Mohamed Maher Muhaffel Mustasem, had heard about what Adnan was doing and wanted in.
They agreed for Adnan to liaise with the unknown person for instructions, while Mohamed Maher accessed the system. Adnan would then convert copies of the customers' bills to PDF formats and send them to the unknown person.
Even after Adnan resigned in July 2018, he continued to help Mohamed Maher with his crimes.
Singtel screenings showed that Mohamed Maher's username was used to perform unauthorised screenings between December 2017 and July 2019.
Between April 2019 and July 2019, Mohamed Maher, in common intention with Adnan, performed 273 such unauthorised screenings of bill records.
In November 2018, the Singapore police received information that a group of data sellers had sold statements of call logs to unlicensed moneylenders. These statements included the call logs made from the landlines and mobile phone numbers of licensed moneylenders.
Investigations revealed that the data originated from Singtel, and Adnan and Mohamed Maher were identified as potential suspects.
A warrant of arrest was issued against Adnan and Criminal Investigation Department (CID) officers from the Bukit Aman headquarters in Kuala Lumpur arrested Adnan at the airport. They later handed him over to Singapore's CID officers.
Adnan pleaded guilty to eight counts under the Computer Misuse Act of unauthorised access to computer material, with another 18 counts taken into consideration.
For each charge, he could have been jailed for up to three years, fined up to S$10,000, or both.
In a statement to CNA on Thursday, a Singtel spokesperson said the company was aware that two former customer care employees from Malaysia's Klang call centre had "accessed phone numbers from some of our enterprise customers’ billing records without authorisation".
"We cooperated with the relevant authorities in the investigation. No other personal data was compromised to our knowledge," she said.
"Once we became aware of the matter last year, we took immediate action to restrict access to our customers’ data and reinforce security measures. We also informed all affected enterprise customers."
The spokeperson added that Singtel has "a zero tolerance policy for any wrongful and unauthorised conduct" and "will take the necessary disciplinary action for such offences including legal action and referring the matter to the police".