A former administrative assistant cracked the passwords of about 300 SingPass account holders, then sold the details to a China-based syndicate involved in sham Singapore visa applications.
James Sim Guan Liang, 39, pleaded guilty to 73 charges yesterday and had another 813 taken into consideration. Most of the offences committed come under the Computer Misuse Act.
Between March and May 2011, Sim made tens of thousands of log-in attempts from his home in Toa Payoh, after realising that people could use their NRIC number as their SingPass password.
He keyed the SingPass log-in details into the e-services websites belonging to the Media Development Authority and Central Provident Fund Board.
To increase his chances of cracking the passwords, he would make changes to the last one or two digits of the SingPass ID and its alphabet suffix. Once successful, he would use the credentials to log onto a different government website to retrieve the account holder's personal particulars.
After compiling these details, Sim would e-mail them in batches to a person with the pseudonym "Lemon", to help the syndicate make a false statement to get a Singapore visa. Details from 293 SingPass accounts were unlawfully disclosed by Sim, who received $300 for each batch he gave to Lemon.
The syndicate, based in Zhejiang, successfully applied for 23 visas. Twenty Chinese nationals entered Singapore using those visas.
Three were subsequently found to have committed criminal offences while in Singapore. They have since been dealt with and repatriated. The status of the rest is not known.
Sim became involved in the syndicate in 2006, after meeting Lemon at a gathering with members from a now-defunct social networking website. Lemon told Sim he could make some money by handing his NRIC over for a day.
Despite knowing that his credentials were being used in sham Singapore visa applications, Sim continued to supply them on several occasions and received $100 each time. When his NRIC number was rejected and could no longer be used, Lemon asked him to provide the SingPass credentials of others.
Sim admitted his involvement in the scheme, after Immigration and Checkpoints Authority officials detected numerous suspicious visa applications involving a common credit card. None of the other perpetrators associated with the Chinese syndicate has been identified.
Sim is due to be sentenced on Feb 26. The maximum penalty for disclosing a password to gain access to a program or data held in any computer is a $10,000 fine and three years in jail on each charge.