Privacy Commissioner Publishes Investigation Report on the 2018 Incident of Intrusion into Hong Kong Broadband Network’s Customer Database Affecting 380,000 Customers
February 21 – The Privacy Commissioner for Personal Data, Hong Kong (Privacy Commissioner) Mr Stephen Kai-yi WONG published an investigation report in accordance with section 48(2) of the Personal Data (Privacy) Ordinance (the Ordinance) on the incident of Hong Kong Broadband Network Limited (HKBN)’s inactive database having been intruded in mid-April 2018 (the incident) that caused leakage of personal data of about 380,000 customers and service applicants. The investigation report was published after having considered that it is in the public interest to do so. As contravention of relevant requirements under the Ordinance regarding personal data retention, erasure etc. was found in the investigation, the Privacy Commissioner decided to serve an enforcement notice on HKBN pursuant to section 50(1) of the Ordinance to remedy and prevent any recurrence of the contravention.
Major investigation findings
The report stated that at the time of the incident, HKBN stored customers’ data in three databases. The database in question was inactive, containing personal data of customers and service applicants as of 2012. The types of personal data included name, email address, correspondence address, phone number, Hong Kong Identity Card number and credit card information. About 380,000 individuals were affected. The investigation found that:
- The database in question should have been deleted after a system migration in 2012, but was nevertheless retained and remained connected to internal network owing to human oversight. Its existence escaped the memory and attention of HKBN. No updating of security patches or encryption was carried out with that database either.
- HKBN failed to conduct a comprehensive and prudent review after the system migration, leading to the failure to delete the database in question;
- HKBN failed to give due consideration to the retention period of former customers’ personal data or provide relevant internal guidance. It also retained, for an excessive period of time, data of former customers.
In light of the facts revealed and admitted by HKBN in the investigation, and in all the circumstances of the case, the Privacy Commissioner found HKBN to have failed to take all practicable steps to erase personal data stored in the database in question, where it was no longer needed, and retained, for an excessive period of time, personal data of former customers, contravening section 26 of the Ordinance (Data Erasure) and Data Protection Principle 2(2) of Schedule 1 to the Ordinance (Data Retention).
The Privacy Commissioner had served an enforcement notice on HKBN to remedy and prevent contravention. The Privacy Commissioner instructed HKBN to:
- devise clear procedures to specify the steps, time limits and monitoring measures for deleting personal data in obsolete database(s) after system migration;
- devise a clear data retention policy to specify the retention period(s) of personal data of customers and service applicants, which is no longer than is necessary for the fulfillment of the purpose;
- devise a clear data security policy to cover regular review of user privileges and security controls of remote access service;
- implement effective measures to ensure that the policies and procedures would be expressly informed to relevant staff members and effectively executed; and
- erase all the personal data of customers and service applicants which is retained longer than the retention period(s) as specified in the data retention policy devised.
In the report, the Privacy Commissioner pointed out that currently there is no mandatory requirement for data breach notification under the Ordinance, whether to the regulatory authority or to data subjects. Notwithstanding this, HKBN had since the incident adopted the good practice of notifying the Privacy Commissioner and the affected customers, and had taken and promised to take remedial actions. In addition, the Privacy Commissioner urged organisations to adopt an accountability approach in handling personal data by incorporating data governance, stewardship and ethics, namely being respectful, beneficial and fair, as part of corporate governance, and apply them as a business imperative throughout the organisation, starting from the boardroom.
The investigation report can be downloaded from PCPD website at: