Personal data of some 380,000 Hong Kong broadband customers hacked, service provider says
Hong Kong Broadband Network, the city’s second largest fixed-line residential broadband provider, discovered on Monday that an inactive customer database had been accessed without authorisation
The personal data of some 380,000 Hong Kong Broadband Network customers, including details for more than 40,000 credit cards, were compromised in a cyberattack against the telecommunications company’s database.
The information kept by the city’s second largest fixed-line residential broadband service provider included names, identity card numbers, credit card details, telephone numbers, email addresses and correspondence addresses, all as of 2012. Hong Kong Broadband Network also offers domestic IDD services and mobile phone packages.
The company on Wednesday said it discovered on Monday that an inactive customer database had been accessed without authorisation. A spokesman said the information belonged to both former and existing customers.
The operator added it had received no communications from the hacker and had no indication who it might be or where the attack originated. It described the hacking as sophisticated.
“The affected customers were alerted by email and text message, and the affected credit cardholders were reminded to be watchful of their bills,” the spokesman said, noting banks had been notified to help contact the cardholders if the company could not reach them.
A follow-up investigation revealed that an unknown party had hacked into a server containing the database, which housed the information of some 380,000 customer and service applicant records for the firm’s residential broadband and IDD services, representing about 10.5 per cent of Hong Kong Broadband Network’s total 3.6 million customer records.
“The group takes this matter very seriously,” the company said in a statement, adding it “immediately reported” the incident to police on Tuesday.
A police spokesman said it had received a report and that the force’s Cyber Security and Technology Crime Bureau was investigating.
Privacy Commissioner Stephen Wong Kai-yi said the case had come to his office’s attention due to the large number of people affected, and a compliance review had been launched.
Immediate measures to prevent similar attacks had been implemented, the company added, with no other customer databases compromised. It described the incident as “isolated” and not affecting its business and operations.
Francis Fong Po-kiu, honorary president of the Hong Kong Information Technology Federation, said it was negligent for an internet service provider of this scale to be hacked. Fong questioned whether the company had afforded the same level of protection to both its active and inactive databases.
He urged the affected customers to quickly change their login passwords to their email as well as social media and online payment accounts to avoid being further compromised.
Information technology lawmaker Charles Mok believed Hong Kong Broadband Network needed to explain why an inactive database was still on an active server.
Prepare for more cyberattacks involving extortion this year, Hong Kong information security watchdog warns
“If the customers had been inactive since 2012, I don’t understand why [the company] still stored the data, including payment information, and linked them online,” he said.
The company apologised to the affected customers, and said they could raise their concerns or questions by calling its hotline at 3616 9111 or emailing firstname.lastname@example.org.