DataBreaches.net

DataBreaches.net

The Office of Inadequate Security

Menu
  • Breach Laws
  • About
  • Donate
  • Contact
  • Privacy
  • Transparency Reports
Menu

Privacy Commissioner Publishes Investigation Report on the 2018 Incident of Intrusion into Hong Kong Broadband Network’s Customer Database Affecting 380,000 Customers

Posted on February 21, 2019 by Dissent
February 21 – The Privacy Commissioner for Personal Data, Hong Kong (Privacy Commissioner) Mr Stephen Kai-yi WONG published an investigation report in accordance with section 48(2) of the Personal Data (Privacy) Ordinance (the Ordinance) on the incident of Hong Kong Broadband Network Limited (HKBN)’s inactive database having been intruded in mid-April 2018 (the incident) that caused leakage of personal data of about 380,000 customers and service applicants.  The investigation report was published after having considered that it is in the public interest to do so.  As contravention of relevant requirements under the Ordinance regarding personal data retention, erasure etc. was found in the investigation, the Privacy Commissioner decided to serve an enforcement notice on HKBN pursuant to section 50(1) of the Ordinance to remedy and prevent any recurrence of the contravention.
Major investigation findings
The report stated that at the time of the incident, HKBN stored customers’ data in three databases. The database in question was inactive, containing personal data of customers and service applicants as of 2012. The types of personal data included name, email address, correspondence address, phone number, Hong Kong Identity Card number and credit card information. About 380,000 individuals were affected. The investigation found that:
  • The database in question should have been deleted after a system migration in 2012, but was nevertheless retained and remained connected to internal network owing to human oversight. Its existence escaped the memory and attention of HKBN. No updating of security patches or encryption was carried out with that database either.
  • HKBN failed to conduct a comprehensive and prudent review after the system migration, leading to the failure to delete the database in question;
  • HKBN failed to give due consideration to the retention period of former customers’ personal data or provide relevant internal guidance. It also retained, for an excessive period of time, data of former customers.
In light of the facts revealed and admitted by HKBN in the investigation, and in all the circumstances of the case, the Privacy Commissioner found HKBN to have failed to take all practicable steps to erase personal data stored in the database in question, where it was no longer needed, and retained, for an excessive period of time, personal data of former customers, contravening section 26 of the Ordinance (Data Erasure) and Data Protection Principle 2(2) of Schedule 1 to the Ordinance (Data Retention).
The Privacy Commissioner had served an enforcement notice on HKBN to remedy and prevent contravention. The Privacy Commissioner instructed HKBN to:
  • devise clear procedures to specify the steps, time limits and monitoring measures for deleting personal data in obsolete database(s) after system migration;
  • devise a clear data retention policy to specify the retention period(s) of personal data of customers and service applicants, which is no longer than is necessary for the fulfillment of the purpose;
  • devise a clear data security policy to cover regular review of user privileges and security controls of remote access service;
  • implement effective measures to ensure that the policies and procedures would be expressly informed to relevant staff members and effectively executed; and
  • erase all the personal data of customers and service applicants which is retained longer than the retention period(s) as specified in the data retention policy devised.
In the report, the Privacy Commissioner pointed out that currently there is no mandatory requirement for data breach notification under the Ordinance, whether to the regulatory authority or to data subjects. Notwithstanding this, HKBN had since the incident adopted the good practice of notifying the Privacy Commissioner and the affected customers, and had taken and promised to take remedial actions.  In addition, the Privacy Commissioner urged organisations to adopt an accountability approach in handling personal data by incorporating data governance, stewardship and ethics, namely being respectful, beneficial and fair, as part of corporate governance, and apply them as a business imperative throughout the organisation, starting from the boardroom.
The investigation report can be downloaded from PCPD website at:
https://www.pcpd.org.hk/english/enforcement/commissioners_findings/investigation_reports/files/PCPD_Investigation_Report_R19-5759_Eng.pdf
-END-
Source: PCPD

Related Posts:

  • Hong Kong Broadband Network announces new security…
  • Hong Kong's Privacy Commissioner Welcomes the…
  • Hong Kong Hospital Authority violated Data…
  • HK: Response to Media Enquiries: Personal Data…
  • Hong Kong Privacy Commissioner for Personal Data…

Post navigation

← No Damages Required to Sue Under Illinois Biometric Information Privacy Act
Data breach rumours abound as UK Labour Party locks down access to member databases →

Sponsored or Paid Posts

This site doesn’t accept sponsored posts and doesn’t respond to requests about them.

Have a News Tip?

Email:

Breaches[at]Protonmail.ch
Tips[at]DataBreaches.net

Signal: +1 516-776-7756

Telegram: @DissentDoe

Browse by News Section

Latest Posts

  • Proliance Surgeons notifying 437,392 patients after ransomware attack earlier this year
  • After $50 Million Breach, KyberSwap Faces Hacker’s Shocking Demands
  • Hendersonville city employees target of cybersecurity breach
  • Ukrainian gets 8-year sentence for running marketplace for Americans’ data
  • Some city data was stolen during cyber breach; full scope remains unknown, Long Beach says
  • More than 1 million Michiganders affected by Welltok cyberattack
  • Line operator says 440,000 personal records leaked in data breach
  • Ransomware group ‘Black Basta’ has raked in more than $100 million -researchers

Please Donate

If you can, please donate XMR to our Monero wallet because the entities whose breaches we expose are definitely not supporting our work and are generally trying to chill our speech!

Donate- Scan QR Code   Donate!

Social Media

Find me on Infosec.Exchange.

I am also on Telegram @DissentDoe.

RSS

Grab the RSS Feed

Copyright

© 2009 – 2023, DataBreaches.net and DataBreaches LLC. All rights reserved.

HIGH PRAISE, INDEED!

“You translate “Nerd” into understandable “English” — Victor Gevers of GDI Foundation, talking about DataBreaches.net

©2023 DataBreaches.net