Customers of Hong Kong Broadband Network were warned earlier this week that their personal details had been compromised by hackers.
The details of 380,000 customers, including credit card information for more than 40,000 of those people, were taken from a database on Monday, the company said.
Announcing that it had been breached on Wednesday, Hong Kong’s second largest fixed-line residential broadband provider said that names, phone numbers, email and physical addresses and identity card numbers, as well as some credit card details, had been accessed from an inactive database without authorisation.
Hong Kong Broadband has around 3.6 million customer records, meaning the breach amounts to just over 10% of its total customer database.
A spokesperson for the company said: “The affected customers were alerted by email and text message, and the affected credit cardholders were reminded to be watchful of their bills.” Banks had been asked to help contact cardholders if Hong Kong Broadband was not able to, the spokesperson added.
The information in question was all from 2012, which raised questions over why the company was still retaining this information six years on. Commentators also queried why the database was not encrypted.
Lawmaker Charles Mok told the South China Morning Post: “If the customers had been inactive since 2012, I don’t understand why the company still stored the data, including payment information, and linked them online.”
Eugene Assev, VP of engineering at Acronis, commented: ‘To avoid such situations, companies must do regular – and better automated – inventory tracking and management, withdraw the assets that are no more in use, segregate active systems and archive data.’
Others stressed the importance of employee education in avoiding these types of situation, with Kaspersky Lab’s head of virus for APAC, Rocky Dong, arguing that education can help ‘defeat social engineering attacks like spear-phishing and waterhole attacks.’
Having described the hacking operation as ‘sophisticated’, the company also said it “takes [the] matter very seriously,” and that it had immediately reported the incident to the police. A spokesperson also said that it was taking action to stop a similar attack from happening again and noted that no other databases had been compromised.
A spokesman for the Hong Kong police confirmed they had received a report and that an investigation by its Cyber Security and Technology Crime Bureau had begun.
As well as this, the case has been brought to the attention of Privacy Commissioner Stephen Wong Kai-yi, who has now begun a compliance review.