CONSUMERS often part with personal information to get members-only perks. But the parting can be painful - when personal data is leaked and made public, as in the case of over 300,000 members of karaoke bar chain K Box.
Their names, addresses and mobile phone and identity card numbers were posted on several websites on Tuesday, purportedly by hackers protesting against upcoming toll fee hikes at Woodlands Checkpoint.
It is not known if the leak was an inside job or the result of system hacking.
But the incident is a wake- up call: Businesses either pay now to secure the personal data collected, or they may end up paying a lot more later.
"There is a high price to pay for treating the protection of consumers' data lightly," said Consumers Association of Singapore executive director Seah Seng Choon.
Not only will there be a loss of reputation, but negligent businesses also face a fine of up to $1 million under a newly enforced law. Even if hackers had stolen customers' personal data, companies must take "reasonable security measures".
The obligation is spelt out - though measures are not - in the Personal Data Protection Act, fully enforced on July 2.
Precise industry measures will take time, said lawyer Gilbert Leong, a partner at Rodyk & Davidson.
"What is reasonable or expected of a bank would most likely not be reasonable or expected of a wine store, for instance."
So the industry will be watching as the Personal Data Protection Commission investigates the K Box leak, the biggest reported breach of personal data here.
Another case of a smaller scale being investigated by the commission involves the details of 12 customers of telco M1, which were exposed on Monday on an online form for pre-orders for the new iPhone.
The two cases might have happened under different circumstances, but it is worrying when personal data falls into the wrong hands.
What happened to technology blogger Alfred Siew, 40, could happen to anyone. On Tuesday, he got a call from someone using a private number claiming to be a loan shark.
"He read out my name and NRIC number... and threatened to harm my family unless I paid up. It was unnerving," said Mr Siew, unable to recall if he had ever misplaced his identity card.
Police could not help. He was told instead to file a magistrate's complaint, which may involve legal fees to prosecute the case.
Meanwhile, the K Box breach prompted some businesses to pull up their socks.
"Organisations are now more easily persuaded to take the law seriously," said media and technology lawyer Bryan Tan, a partner at Pinsent Masons MPillay.
But more can be done.
Businesses may want to take a leaf out of IT retail chain Challenger's book.
It keeps the names, identity card and phone numbers, as well as e-mail addresses of its more than 500,000 members in a server locked in a room, accessed by staff only via fingerprint scanning.
Cashiers can call up members' data when members redeem points, but cashiers need to scan their fingerprints on sale terminals.
Challenger chief operating officer Ben Tan said: "This is so that we have an audit trail if there is a leak."
This article was first published on September 20, 2014.
Get a copy of The Straits Times or go to straitstimes.com for more stories.