SINGAPORE: A team leader at a call center in Malaysia providing technical support to Singtel customers helped a former colleague retrieve information on more than 1,000 business accounts owned by approved lenders.

The information, which included invoices, company names and landline numbers, was then used by data vendors to conduct loan sharking activities.

Syrian national Mohamad Maher Muhaffel, 32, was sentenced to 12 weeks in prison on Thursday March 18 after pleading guilty to four counts under the Computer Misuse Act. Twelve other charges were considered in sentencing.

The court heard that Maher started working as a customer service manager in 2013 for technical support company Sudong, a subsidiary of Singtel located at the Klang call center in Selangor, Malaysia.

He became a team leader in 2015, with 16 account managers under him, and had access to the company’s IT systems. These include an invoice archiving system that stores invoice details from Singtel customers.

Maher worked with co-defendant Adnan Ahmed Siddiqui, a 32-year-old Pakistani national, until July 2018, when Adnan left the company.

Around December 2017, Adnan told Maher that he was collecting customer invoices and forwarding them to a third party for sale and asked Maher to help him continue this practice.

Maher agreed and remained in contact with Adnan even after the latter left the company. Adnan would give out Maher company names, Singtel account numbers and landline numbers via Facebook, WhatsApp or emails, and Maher would retrieve the corresponding customer invoices for Adnan.

Adnan would then send the information to the third party, receiving in exchange RM 1,000 (S $ 326) to RM 1,200 per month via Western Union.

Between December 2017 and July 2019, Maher performed 1,130 unauthorized audits of accounts of companies owned by pawn shops and licensed pawn shops, although his work did not involve such research.

Police received reports in November 2018 that a group of data vendors had sold call detail records including landlines and mobile phone lines from licensed lenders to unlicensed ones.

Investigations revealed that the details of the call originated from Singtel and were being disseminated and used by data vendors to conduct loan sharking activities. Maher and Adnan have been identified as suspects.

Malaysian police arrested Maher in July 2019 and handed him over to his Singapore counterparts after an arrest warrant was issued against him.

The prosecution requested at least 14 weeks in prison, noting the transnational element of the case as the information was sold from Malaysia to Singapore, as well as the breach of trust as an employee and the long period of ‘offense.

There has also been an intrusion into the privacy of Singtel’s customers and potential damage to the phone company’s reputation, Deputy Prosecutor Kathy Chu said.

The number of customer invoices consulted was “staggering” at 1,130, she added.

Defense attorney Cory Wong of Invictus Law asked for a fine of up to S $ 20,000, claiming his client had not personally benefited from the offenses and was simply helping his friend.

He didn’t know exactly what Adnan and the third party were doing with the data, Wong said.

He said Maher has “languished in Singapore” out of work for 19.5 months and wanted to return to work to care for his elderly parents and brother with cancer.

For each count of unauthorized computer access, he could have been jailed for up to two years, fined up to S $ 5,000, or both.

Adnan was imprisoned for two months and 14 weeks in August of last year.

Singtel had previously told CNA that he had cooperated with authorities in investigations and that no other personal data had been compromised to their knowledge.

“Once we learned of the matter (…) we took immediate action to restrict access to our customers’ data and tighten security measures. We also notified all relevant corporate customers.” , said a spokesperson.