Hong Kong Broadband Network, one of Hong Kong’s major internet service providers, has said after a hacking incident that it will remove 900,000 old customer records, and will only keep other customer records for six months after they stop using the company’s services.
Last week, the company revealed that an inactive customer database was accessed by an unauthorised person. The data contained 380,000 customer and service applicant records as they stood in 2012.
The company’s CEO William Yeung said it holds 3.6 million customer records, and the hacking incident was an individual case, as the affected server was not encrypted. “But all the [other] customer databases in our network are secure,” he said.
Yeung said the company would keep financial data for seven years for tax reasons, but customer records can be removed after they stop using the service for six months.
He added that in the next three months, servers will hide some customer details. For instance, two digits of their identity card numbers will be randomly removed, and servers will only keep the first six digits and the last four digits of credit card numbers.
The measures will be adopted in three months with approval from the police, who are investigating the incident.
Yeung said that, among the 380,000 affected users, some 220,000 were past IDD users, some of whom have forgotten that they applied for the service.
Yeung said customers who did not use the service in the past six months will be given the option to stop using the service. If so, their information will be removed: “They will be completely deleted,” he said.
The company will not rule out compensating users if they can prove that they suffered losses related to the hacking.
Yeung also said HKBN will hire more staff to improve its firewall and security measures.
Lawmaker Elizabeth Quat said the company should have taken the measures to hide some of the details in customer records: “Better late than never.”
“I would like to know what kind of method they are going to use to delete the information in the server, because as we know, information kept in server cannot be deleted by just click on a delete [button],” she said. “They should use international standard and a recognised third party to ensure all the record is really deleted.”
“More training should be provided to current and future staff,” she said.
She also said she was not certain if companies can legally remove customer information after just six months.