Impatient former Hong Kong library worker arrested after stealing customers’ personal data to borrow books faster
Woman filed bogus loss reports for customer’s library cards, meaning their borrowed books had to be immediately returned
A bibliophile who worked in a Hong Kong public library has been arrested for using the personal information of about 130 customers without their permission so she could quickly borrow their loaned books.
The 25-year-old woman, who formerly worked for a contractor company for Tseung Kwan O Public Library and was responsible for handling returned library materials from readers between 2015 and this year, was arrested on May 24, according to the Leisure and Cultural Services Department, which operates the library, and police.
A police source said she had used the personal data of users to file loss reports for library cards on their behalf. After the report, customers would no longer be able to renew loaned books and were required to return them immediately. That would allow the woman to borrow those items.
No financial losses were involved and no books were said to have been stolen, the source said.
The personal data included names, Hong Kong identity card numbers, addresses, telephone numbers and email addresses, a spokesman for the Leisure and Cultural Services Department said.
The department was alerted earlier when the library received enquiries from registered users regarding unsuccessful access to their online accounts.
A department investigation showed the users’ accounts were suspected to have been improperly accessed, and 129 had filed lost library card reports, or had changed the account passwords, resulting in the holders not being able to use the library’s online services.
The department then reported the incident on May 23 to police and the Office of the Privacy Commissioner for Personal Data.
It also tried to contact the suspected affected users, of whom 86 users were reached.
The spokesman appealed to all registered users to change their passwords as soon as possible
A task force led by an assistant department director was set up to review the security measures concerning the management of registered users’ personal data and to enhance the monitoring mechanism on outsourced service contractors’ performance, the spokesman said.
“The department is very concerned about the incident and would like to apologise to the affected users,” the spokesman said.
The woman, who was arrested for accessing a computer with criminal or dishonest intent, was later released on bail and must report back later this month.
The Office of the Privacy Commissioner for Personal Data said it had launched a compliance check.