NDP organisers refuse to concede ticketing site had security flaw that compromised users' personal data

Their media statement after flaw was exposed is a thing to behold. PR practitioners, take note.

Martino Tan| May 22, 12:01 AM

On May 19, 2014, a blogger, Lai Zit Seng, pointed out a security flaw on the National Day Parade ticking balloting site eballot.ndp.org.sg.

He highlighted how personal information, submitted by those balloting for tickets, could be easily accessible as the site did not use Secure Sockets Layer (SSL) encryption.

He also posted a screenshot on his blog showing the data that could be accessed, as the apparent security flaw could potentially allow hackers to steal the data entered on the site, such as a person’s name, identity card and telephone numbers.

This, naturally, caused a major brouhaha online.

In response to media queries late Tuesday night, May 20, 2014, executive committee chairman of ticketing Lieutenant-Colonel Jason See said -- in what could perhaps be the biggest non-statement of the year, with equal measures of concession and denial:

"We have reviewed our IT security infrastructure and would like to reassure Singaporeans that no personal information had been compromised. Nevertheless, the level of security can be further enhanced, and we will do so."

Note that no personal information had been compromised and that's the bottom-line because the chairman of ticketing said so.

In his new posting last night, Lai said, "he (See) simply would not know if it has been leaked. He could say the NDP website has not been hacked, but there is no way to guarantee that personal information has not been leaked out somewhere else”.

Lai is clearly concerned with the lack of SSL support on the website, which allows the NDP website to be exposed to a range of vulnerabilities.

Lieutenant-Colonel See could follow a fellow military man's way of approaching this issue:

"Reports that say there's -- that something hasn't happened are always interesting to me, because as we know, there are known knowns; there are things that we know that we know. We also know there are known unknowns; that is to say we know there are some things we do not know. But there are also unknown unknowns, the ones we don't know we don't know." - Donald Rumsfeld, United States Secretary of Defense, Feb 2002.

Basically, he can share with the public what he knew and what he didn't know, and how they can rectify the problem.

Check out Microsoft's nerdy and wonky approach in dealing with their Internet Explorer Security Flaw. It is not perfect but it is a good example of how the NDP Committee could have better approached and communicated the issue to the public.

If Singaporeans still have confidence after Lieutenant-Colonel See's statements, they can apply for tickets during the upgrading of the NDP website. They can also apply on AXS and SAM machines, and via SMS.

Applications close on May 25.


If you like what you read, follow us on Facebook and Twitter to get the latest updates.