Man who misused MOM data fined $86k

He tampered with 972 records in the ministry's online appointment system

Abdul Gafoor Jahangeer Basha, who was charged with numerous offences under the Computer Misuse Act, escaped jail because he was likely to be suffering from major depression at the time of his acts. -- ST FILE PHOTO
Abdul Gafoor Jahangeer Basha, who was charged with numerous offences under the Computer Misuse Act, escaped jail because he was likely to be suffering from major depression at the time of his acts. -- ST FILE PHOTO

Before leaving his employment with IT vendor NCS in August 2012, Abdul Gafoor Jahangeer Basha harvested user credentials from a source file, for a computer system under his care.

Finding vulnerabilities in the software coding for the online appointment system of the Manpower Ministry's employment pass services centre, which he had saved onto his personal laptop, he later logged in and amended or deleted a total of 972 records by executing rogue commands.

His actions forced the ministry to deploy a team to verify records and help pass applicants unable to log in.

A team of IT staff was also deployed to conduct investigations and undo the changes.

The total manpower cost incurred by MOM in the process was $19,800, with an additional $616.80 paid to the vendor for the ministry's call centre, which received 257 inquiries from affected applicants.

Yesterday, Abdul Gafoor, now 34, was fined $86,000 by a district court for numerous offences under the Computer Misuse Act.

These were committed between October and December 2012, following the early termination of his contract due to unrelated performance issues. However, these included accessing text files, logging in to the system using other users' credentials and modifying records.

He pleaded guilty to 34 charges, with another 79 taken into consideration.

The prosecution did not press for a jail term for Abdul Gafoor, noting a medical report said he was likely suffering from major depression when he committed the offences.

Calling instead for a fine in the region of $80,000, Deputy Public Prosecutor Sanjiv Vaswani said that as the sole person handling the system, Abdul Gafoor had abused the trust placed in him not to misuse the knowledge he had of its inner workings.

He added that the effects of the man's actions were lasting and had affected a large number of victims. They were detected only after several users had reported they were unable to log in, the DPP said. "This is not a straightforward case of computer misuse where the accused person had simply used another person's password to access their computer."

For each count of gaining unauthorised access to computer material, Abdul Gafoor could have been jailed up to two years and fined $5,000. For modifying the material without authorisation, he faced a jail term of up to three years and a fine of $10,000 on each charge.

Mr Vu Anh Tien, a research analyst at market research firm Frost & Sullivan, said IT security policies are important in protecting companies from former employees who may have access to sensitive information.

Said Mr Vu: "The best way for companies to protect themselves from their former employees is to find ways to keep things under control, such as having a suitable Bring Your Own Device policy that can manage devices and access to corporate systems, networks and data."

pohian@sph.com.sg

Join ST's WhatsApp Channel and get the latest news and must-reads.