The theft is not the first of its kind. Last year, the database of a travel agency was hacked and locked by criminals, who demanded a ransom. 

What sets the latest incident apart is that the customers’ data, including names, identity card and telephone numbers, credit card details and correspondence addresses, had not been used for years. So far, there has been no reports of financial losses from those affected, but the risks cannot be ignored.

It is obviously unjustified for the city’s second largest fixed-line residential broadband company to have kept for so long the details of hundreds of thousands of people who are no longer its customers. 

There have been suggestions that it is customary practice for businesses to keep financial records for up to seven years for taxation purposes, but the personal data protection law also stipulates that data users should not keep information for longer than necessary. 

The firm’s decision to remove the details of 900,000 former customers and cut the time of keeping data to just six months is a correct response. 

The company is arguably a victim. But as a data user, it is legally required to protect the details with due diligence. Whether it has breached the law is a matter for the privacy watchdog to ascertain, but the safeguards against hacking were clearly inadequate.

Adding to the problem is a weak data protection law. Enacted in the 1990s, the legislation sets out the broad principles for personal data collection and privacy protection. But they can be loosely defined and become grey areas. This is not helped when the penalties and compliance costs are woefully disproportional. 

A more effective way is to follow the world trend of linking punishment with business turnover. The law must be strong enough to ensure companies will take their legal responsibility seriously.