By Khushwant Singh

FOR a week, members of an online community known as the Singapore Security Meetup Group (SSMG) went onto the websites of various schools and came away with plenty of personal information, such as addresses and identity card and telephone numbers of staff and students.

SSMG members did not have to try very hard either.

No hacking, spyware or any virus was needed. All they did was use search engines such as Google - and the information fell into their laps, just like that.

In one case, the user name and password of a system administrator also popped up. With these, a hacker could use the server at the secondary school to send spam messages or even host an Internet pornographic website.

SSMG member and chief technology officer of an IT firm, Mr Wong Onn Chee, showed The Straits Times documents containing personal information on the websites of a university, a junior college, a polytechnic, five secondary schools and a primary school which they found.

Such data leaks are not new.

In January, Internet security firm Trend Micro said it has identified at least 40 Singapore websites - which it termed 'reputable' - that were guilty of security lapses. It declined to name the sites, which were mainly online shopping portals and community sites.

More ominously, said Trend Micro, the 40 sites - which have since cleaned up their act - likely form just a small proportion of those with questionable security practices.

SSMG's findings confirm this view.

The issue of data privacy had been raised in Parliament in January by Ms Lee Bee Wah, an MP for Ang Mo Kio GRC.

In his written reply, then-Minister for Information, Communications and the Arts Lee Boon Yang said an inter-ministry committee was already reviewing the issue. 'As data protection is a complex issue, with extensive impact on all stakeholders, this review will take some time.'

Meanwhile, lapses are continuing, warned SSMG member Frenky Tjioe.

Among the lapses that the group, which has 150 online members, discovered: A teacher at Presbyterian High School posted the names, together with the IC numbers, of 34 former students involved in an orientation programme at the start of the school year.

Although meant for the school staff, the information became accessible to all as the teacher had not assigned the correct viewing rights, said principal Lim Yan Hock.

Teachers have also been reminded that it is against school policy to include IC numbers in online documents, he added.

One document on the website of the National University of Singapore (NUS) had the personal particulars of a research fellow, including his address in China.

An NUS spokesman said its users were advised not to divulge personal information in data stored for public access and they need to take personal responsibility for any disclosure.

Republic Polytechnic spokesman Khng Eu Meng blamed its leak of names, IC numbers and e-mail addresses of 200 students on 'human error', and said steps have been taken to prevent any recurrence.

Mr Tjioe, an IT security consultant, warned that such information could be used in kidnapping scams. 'Thanks to leaky websites, criminals could have details to convince family members that it's a real kidnapping when actually, it's just a con job.'

Simply removing these documents from websites might not mean they are no longer available. These could have been archived by search engines and the affected parties would have to request that the documents be removed.

Mr Tjioe said: 'Documents with personal information should be posted only on websites with the necessary safeguards, such as restricted access.

'Where data leakage is concerned, prevention is truly better than cure.'

This article was first published in The Straits Times.