Investigations revealed that Koh exploited the SIM card registration process to use his customers’ personal data to register for additional prepaid M1 SIM cards that they did not buy.
One method Koh used to obtain his customers’ personal data was duplicate scanning.
After scanning a customer’s identity document to register the SIM card they wanted to buy, he would scan the document again to register a second SIM card without them knowing.
Koh would then hand over only one SIM card to the customer and keep the other to sell it to an unauthorised buyer.
Another method he employed was keeping the SIM cards his customers did not want to buy.
Occasionally, a customer who registered a SIM card would not want to continue their purchase after they found out that credit for the SIM card would have to be loaded separately.
Instead of cancelling or reversing the registration process on such occasions, Koh would keep the SIM cards and activate them without his customers’ knowing. He would then offer the SIM cards for sale to unauthorised buyers.
During investigations, Koh admitted that he wanted to earn extra money from selling the pre-registered SIM cards to unauthorised buyers.
During the four-year period in which he sold such SIM cards to anonymous buyers, Koh was estimated to have made a profit of about S$35,000, selling about 250 illicit SIM cards per year with a profit of S$35 per card.
Koh collected and used the personal data of 73 people to register the 95 SIM cards linked with the complaints received by PDPC. However, it was likely that the personal data of many more individuals, about 1,000, was involved in the case, the commission said.