Hong Kong Broadband Network (HKBN) has admitted that hackers gained unauthorised access to an inactive customer database, which contained approximately 380,000 records from 2012.
The ISP said the attack happened on Monday, and the hackers accessed a database holding names, email, correspondence addresses, telephone numbers and identity card numbers – and more worryingly for consumers, details of some 43,000 credit cards. HKBN said it immediately notified police and would inform customers, as well as the Privacy Commissioner.
It also conducted a thorough internal investigation and a major review of all systems and servers after becoming aware of the attack, and the company stressed that it has taken measures to prevent similar attacks.
HKBN said it believes this was an isolated event, but stressed that it is taking the matter seriously.
William Yeung, co-owner & CEO and NiQ Lai, co-owner and COO said, “We apologise to all affected customers. We are continuing the investigation to identify the cause of the unauthorised access, and will spare no effort in the combat against such illegal act, implementing rigorous measures to prevent similar incidents from happening again.”
But the incident has raised a number of red flags with stakeholders over privacy and security concerns - including from government.
"The data protection principle under the privacy laws in Hong Kong do state very clearly that for personal information that’s being kept by the data user - that is the company - you have to make sure that you don’t keep this information longer than what is necessary," IT sector lawmaker Charles Mok said.