Malaysia call centre worker jailed for retrieving Singtel customer details that were later sold to loan sharks

SINGAPORE: A team leader at a call centre in Malaysia handling technical support for Singtel customers helped an ex-colleague retrieve information from more than 1,000 business accounts belonging to licensed moneylenders.  

The information, which included bills, company names and landline numbers, was later used by data sellers to carry out loan sharking activities.

Syrian national Mohamad Maher Muhaffel, 32, was given 12 weeks' jail on Thursday (Mar 18) after pleading guilty to four charges under the Computer Misuse Act. Another 12 charges were considered in sentencing.

The court heard that Maher began working as a customer care officer in 2013 for technical support company Sudong, a subsidiary of Singtel located at Klang Call Centre in Selangor, Malaysia.

He became a team leader in 2015, with 16 customer care officers under him, and had access to IT systems in the company. These include a bill archive system that stores bill details of Singtel customers.

Maher worked with co-accused Adnan Ahmed Siddiqui, a 32-year-old Pakistani national, until around July 2018 when Adnan left the company.

Around December 2017, Adnan told Maher that he had been retrieving customers' bills and forwarding them to a third party for their sales purposes and asked Maher to help him continue this practice.

Maher agreed and remained in contact with Adnan even when the latter left the company. Adnan would give Maher company names, Singtel account numbers and landline numbers via Facebook, WhatsApp or emails, and Maher would retrieve the corresponding customer bills for Adnan.

Adnan would then send the information to the third party, receiving RM1,000 (S$326) to RM1,200 per month via Western Union in exchange. 

Between December 2017 and July 2019, Maher conducted 1,130 unauthorised screenings of business accounts belong to licensed moneylenders and pawn shops, even though his job scope did not involve making such searches.

The police received information in November 2018 that a group of data sellers had been selling statements of call details consisting of landlines and mobile phone lines of licensed moneylenders to unlicensed ones. 

Investigations revealed that the call details originated from Singtel and were disseminated and used by data sellers to carry out loan shark businesses. Maher and Adnan were identified as suspects.

Malaysian police arrested Maher in July 2019 and handed him over to their Singapore counterparts after a warrant of arrest was issued against him.

The prosecution asked for at least 14 weeks' jail, noting the transnational element of the case as the information was sold from Malaysia to Singapore, as well as the abuse of trust as an employee and the extensive period of offending.

There was also intrusion of Singtel customers' privacy, and potential damage to the telco's reputation, said Deputy Public Prosecutor Kathy Chu.

The number of customers' bills accessed was "staggering", at 1,130, she added.

Defence lawyer Cory Wong of Invictus Law asked for the maximum fine of S$20,000, saying that his client did not personally benefit from the offences and that he was just helping his friend.

He did not know what exactly Adnan and the third party were doing with the data, said Mr Wong.

He said Maher has been "languishing in Singapore" without work for 19.5 months and wants to resume his duties to take care of his elderly parents and cancer-stricken brother.

For each count of unauthorised access to a computer, he could have been jailed up to two years, fined up to S$5,000, or both.

Adnan was jailed for two months and 14 weeks in August last year.

Singtel previously told CNA that it cooperated with the authorities in investigations and that no other personal data was compromised to their knowledge.

"Once we became aware of the matter ... we took immediate action to restrict access to our customers’ data and reinforce security measures. We also informed all affected enterprise customers," said a spokesperson.