Hong Kong broadband provider to revamp way it stores customer information after data breach
Company announces plan to remove data of 900,000 former customers and shorten time it keeps information to six months
Hong Kong’s second-largest residential broadband provider will purge the data of 900,000 former customers, as well as reducing how long it holds information, after a hack last week compromised the data of hundreds of thousands of customers.
Hong Kong Broadband Network (HKBN) announced the new security measures as CEO William Yeung Chu-kwong admitted on Monday the hacked personal information of 380,000 current and former customers was stored in an unencrypted database.
Yeung, who is also the co-owner of HKBN, said the compromised database was the only one that lacked encryption, stressing the others were all safe.
All information related to HKBN’s 900,000 inactive customers would be deleted within three months, while details on past customers would now be held for six months – rather than seven years.
Yeung said the company would also modify the way it stores existing customer information.
“We will no longer store full ID and credit card numbers, as they can potentially harm the customers,” he said.
Hong Kong ID card numbers would have two digits randomly deleted, as well as the digit in brackets. For credit card numbers, the company would delete the seventh to 12th digits, Yeung said.
The same policy would also be applied to new customers.
Yeung said the new policy would make the information less attractive to hackers, adding the company was taking steps beyond those required by law.
“I don’t believe any other telecommunications company is doing [any of this],” Yeung said.
The changes would be made after they were cleared with government departments including police and the Inland Revenue Department, he added.
Yeung said the company had not been contacted by the hacker and refused to give further details.
Since the hack, announced on Wednesday, the company received 1,000 complaints and more than 10 customers terminated their contracts.
Asked if customers would be compensated for any losses, Yeung said HKBN would do “what the law requires”.
A police spokesman said on Monday an investigation into the hack was ongoing. A source said investigators were slow to make progress because HKBN was such a large company.
HKBN had said an inactive customer database was hacked on April 16. After checking its systems and servers, it found no other affected databases, adding it had already taken steps to prevent further attacks.
The database held the information of about 380,000 former and existing customer records for the firm’s residential broadband and IDD services from 2012, which is about 11 per cent of the company’s 3.6 million customer records.
The records held information including names, email addresses, home addresses, telephone numbers, ID card numbers and information of about 43,000 credit cards.
The Office of the Privacy Commissioner for Personal Data said on Monday it had received 11 complaints and 30 inquiries concerning the hack.
The office said it would not comment on the measures of individual companies but that organisations would need to abide by the relevant privacy laws when handling personal data.