Hong Kong Broadband Network (HKBN) has promised to implement new data protection measures for its customer data in the next three months in response to a targeted cyberattack discovered last week.
Under the new measures, all personal information of customers whose accounts have been closed will be kept for six months, instead of seven years, and will subsequently be deleted from the company’s database.
Furthermore, HKBN would modify the way its stores the data of existing customers. Hong Kong ID card numbers would be randomly removed, as well as the digit in brackets. For credit card numbers, the company would delete the seventh to 12th digits.
“Keeping only partial but not all of the most sensitive data like credit card number and Hong Kong ID card number gives peace of mind to our customers,” said William Yeung, co-owner and CEO, HKBN.
For new customers, their full identity card number and credit card number would be collected only to support service activation, number porting and bank payment application. Once these procedures have been completed, part of the said two numbers would also be deleted from the HKBN system.
Yeung said the new policy would make the information less attractive to hackers, adding that the company is taking decisive actions beyond the industry’s common practices.
The new data protection measures would be implemented after they cleared with the relevant government departments.
The targeted cyberattack, discovered on April 16, involved the hacking of an inactive customer database containing the information of some 380,000 customer and service applicant records of HKBN fixed and IDD services as of 2012, which represents about 11% of the company’s 3.6 million customer records.
The information in the database includes names, home addresses, email addresses, telephone numbers and HKID card numbers. It also contains information of some 43,000 credit card information as of 2012.
HKBN had reported the incident to the Hong Kong Police and the Office of the Privacy Commissioner for Personal Data. Investigation into the incident is on-going.
“No conclusion of the incident investigation is available yet, but we’ve already identified the areas that we will definitely address to enhance data security protection such as introducing multi-factor authentication, stepping up encryption, putting up additional layers of cyber defenses on top of our existing protections, and burgeoning resources to expand the information security team,” Yeung said.
First published in Computerworld Hong Kong