SINGAPORE: GV leaks e-mail contacts of 7,000 patrons

Cinema chain attributes information leak to software glitch

The Straits Times
Thursday, January 31, 2008

By Alfred Siew

A few hundred movie-goers suddenly found their contact list expanded over the weekend when an attachment containing e-mail addresses of more than 7,000 people was sent to their inboxes.

Cinema chain Golden Village (GV) had inadvertently leaked the information, sent along with its newsletter, to members of its Movie Club.

The leak did not include any other information, such as credit card details, but has raised concerns among privacy watchers that personal details could have been so cavalierly handled.

One of those affected, postgraduate student Tan Wei Hiong, 28, said: 'Any spammer who got hold of that file would have had a field day.'

He found out about the problem only when he received an e-mail apology from GV on Tuesday.

The cinema chain said it was sending out an e-mail apology to each of the 7,000-plus affected customers.

They are among 143,000 who had signed up to be part of its Movie Club to receive discounts for tickets and other perks.

The cinema chain said it had taken steps to stop the attachment from circulating further once it was alerted to the problem.

Spokesman Angelika Quadt attributed the lapse to a software bug, adding that there would be more comprehensive tests done before sending out upcoming newsletters.

'In future, GV will send out a test e-mail to internal staff to test it out first, to ensure it works and is not corrupted,' she added.

The gaffe is not as serious as cases overseas where credit card information is lost, but experts say it trains the spotlight on how there are too few rules protecting the private data of consumers here.

In February 2006, the Government said it had set up an inter-ministerial committee to look into a data-protection regime here. There have been no updates so far.

In the meantime, some of the most stringent privacy rules still reside in the Telecom Competition Code, which governs how telecom operators can handle customer details such as calling patterns.

Since GV is not a telco, it does not face the same rules, say experts.

Lawyer Bryan Tan said even if consumers wanted to sue GV, they would have to show that the company had breached a contract by disclosing their details, and to show loss arising from the data leakage.

'That is not an easy case,' he noted.