HKBN Under Fire Over Data Management Regime

Hong Kong Broadband Network (HKBN) has come under fire over its data protection measures after it admitted on Wednesday that hackers have attacked an inactive database containing 380,000 customer records from 2012.

HKBN said the attack happened on Monday, accessing a database holding names, email, correspondence addresses, telephone numbers and identity card numbers – and details of some 43,000 credit cards.

It also contained almost 400,000 records of the company’s fixed and IDD services of that year – 11 percent of its total 3.6 million records.

The company said it had immediately conducted a thorough internal investigation and engaged an external network security consultant to conduct a comprehensive check of all systems and servers once it identified the cyber attack. It said it had also implemented immediate measures to prevent similar attacks.

HKBN said it was not aware of any other customer databases being affected. It said it believes this was an isolated event, but stressed that it is taking the matter seriously.

The firm has reported the hack to the police and said it would inform customers affected as well as the Privacy Commissioner.

However, the incident has raised privacy concerns.

IT sector lawmaker Charles Mok called on the company to explain why it had held on to former customers' information, saying this may be a breach of privacy laws:

"The data protection principle under the privacy laws in Hong Kong do state very clearly that for personal information that’s being kept by the data user - that is the company - you have to make sure that you don’t keep this information longer than what is necessary," Mok said.

On the face of it, if these accounts were no longer in use after six years so there was probably no reason for the company to keep the credit card information, he said.

A cybersecurity expert said people whose credit card data has been stolen should check with their banks for any unusual transactions.

Anthony Lai from the cybersecurity company, VXRL, said the latest incident has once again shows that Hong Kong lags behind in regulating local firms' internet security compliance, and called for a new regulatory body.

The attack on Hong Kong Broadband Network comes just months after three travel agencies also suffered cyber attacks.

Last updated: 2018-04-19 HKT 02:06