K Box membership database was poured out on the Internet today by a hacker group calling themselves The Knowns. Leaked details of K Box 317K members included names, addresses, phone numbers, email addresses and NRIC numbers. The best part of this incident is, you know what, that K Box had “no comments”.
According to Channel News Asia, the “no comments” was offered by senior management staff at the company headquarters. Oh wow. There were so many ways to say something non-committal, without making admission of any sort, promising action of any kind, or basically a non-statement. But, “no comments” is certainly quite shocking in a situation like this.
I’ve said a few times that these sorts of incidents are not a question of if, but when. This is often a crisis situation, and having a well developed incident response and recovery plan is crucial. Quite obviously, K Box is at a complete loss at how to deal with this situation.
Let’s think about the situation for a moment. Your personal data has been leaked. Your phone number, your address, your NRIC number. They have become public information. It’s not just you. There are some 317574 people in all. The numbers, incidentally, are quite impressive. K Box had that many members? These are members, not just mere customers.
Now, wouldn’t you very concerned? Very angry? There’re 317K such people. All K Box could say is “no comments”?
Sure, I can understand K Box themselves are shocked. Perhaps they had no idea what has happened. The leak hit them as a big surprise. But surely they can quickly determine that, yes, the fact of the matter is that their membership database is on the Internet. No need to say too many things, but at the very least, acknowledge the facts of the matter first. They should also contact (by email or SMS) all their customers to inform of the situation as it develops. This may take a while to get organised, but how about a public statement? Post a message on their website? A status update on their Facebook page?
Nothing. K Box has said absolutely nothing at this time.
I am (thankfully) not a K Box member. However, I can just appreciate how really upset affected people will be about this situation, and angry at the company’s lack of response. Their business could be very adversely affected depending on how they handle this situation.
Update (2014-09-17 08:00): K Box finally made a statement. According to a Channel News Asia post just after midnight today, Chief Operating Officer Priscilla Ng said “Steps are being taken to remove the stolen data and hold those responsible for this deplorable act wholly accountable to the fullest extent of the law”.
Wow. No apology. No regrets. No remorse. Instead, it’s pushing the blame, sort of. The theft was “deplorable” and to go after those responsible “to the fullest extent of the law”.
You should know that once something is on the Internet, it is in the public forever. There is no way you can “remove the stolen data”. It seems like nothing has changed about their website. Not even Ms Ng’s statement shared by Channel News Asia. Member sign ups and member logins are still on the website. Business is as per normal. How sad. Affected members waited over 12 hours after the incident erupted to hear this. That they are taking the matter very seriously is a joke.
This is the problem when corporation keep thinking IT is cost center best done by cheap Foreigners or Off shored.