Singapore court finds former bank officer guilty of illegally sharing client data with overseas scammers

A former United Overseas Bank (UOB) employee has been convicted of leaking the personal and financial data of over 1,000 customers to scammers posing as Chinese police officers. The case, which exposed serious breaches of data protection, has raised new concerns over insider threats within Singapore’s banking sector.

Ex-Banker Fell for “Chinese Police” Scam

On October 14, 2025, Cao Wenqing, a 30-year-old Singapore permanent resident and Chinese national, was convicted on 14 charges under the Computer Misuse Act and 13 under the Banking Act for disclosing sensitive customer data.

Cao, a junior mortgage officer at UOB, was duped in March 2021 by two individuals—“Xiang Ying Dong” and “Captain Lu”—who claimed to be officers from China’s public security bureau. Believing she was assisting an official investigation, she accessed UOB’s internal database and extracted details of Chinese nationals holding accounts at the bank.

How the Data Breach Unfolded

Cao’s role allowed her to view confidential customer information, including names, identification numbers, account balances, and phone numbers. She filtered profiles using common Chinese surnames, compiled the data into Excel sheets, and sent photos of them via WhatsApp to “Captain Lu.”

Each file contained information on 50 to 100 customers. After sending, she deleted the files and photos to hide her actions. Cao also ran targeted searches when instructed, sending screenshots of customer profiles directly to the scammers.

Judge: “Unreasonable” to Not Verify Identities

District Judge James Elisha Lee rejected Cao’s defense that she was misled by the impostors. He noted that she had tertiary education and professional training that made her aware of the sensitivity of customer data and her duty to protect it.

“It was unreasonable not to verify their identities,” Judge Lee said, adding that Cao could have easily contacted the Shanghai police herself—a step she eventually took only after reading about a similar scam.

Prosecution: She Knew It Was Illegal

Deputy Public Prosecutor Ryan Lim emphasized that Cao was fully aware her actions violated bank policy and Singapore law. “She knew what she was doing was contrary to the bank’s policies and illegal under Singapore law, but went ahead anyway,” he said.

The prosecutor added that Cao complied with the scammers’ requests because she feared losing her job and being implicated in supposed investigations by the “Chinese police.”

Arrest and Ongoing Sentencing

Cao realized she had been deceived and filed a report with the Singapore Police Force on April 22, 2021, the same day she was arrested. She was represented in court by lawyer Kalidass Murugaiyan of Kalidass Law Corp. Her sentencing is scheduled for December 2025.

Broader Implications for Data Security

The case highlights the growing sophistication of cross-border social engineering scams and their ability to exploit insider access within financial institutions. Cybersecurity experts warn that even well-trained staff remain vulnerable when psychological manipulation is involved, emphasizing the need for stronger internal safeguards and awareness programs in the banking industry.

The conviction of Cao Wenqing underscores Singapore’s zero-tolerance stance on data breaches and insider misconduct. As financial scams become more complex and transnational, banks will need to invest further in employee training, data access controls, and proactive detection systems to safeguard customer trust.

Sources: Straits Times (2025) , CNA (2025)

Keywords: UOB Employee, Data Leak, Scammer, Banking Act, Cybersecurity, Singapore