Cyber Incident Victim: Hong Kong Broadband Network
Date:
Jan 2012
Location:
Hong Kong
Summary
A telecommunications provider experienced unauthorized access to an inactive customer database containing personal data of approximately 380,000 individuals, representing around 10.5% of its total customer base. Compromised information included names, identity card numbers, over 40,000 credit card details, contact information, and addresses from historical records. The company notified affected customers via email and text messages, alerted relevant banks, and reported the incident to law enforcement and privacy authorities. Investigations indicated a sophisticated attack targeting a single server, with no evidence of broader system compromise. Critics raised concerns about the prolonged storage of outdated payment data and questioned security parity between active and inactive databases. Immediate preventive measures were implemented following the breach.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
Hong Kong Broadband Network (HKBN), Hong Kong’s second-largest fixed-line residential broadband provider, discovered unauthorized access to an inactive customer database on April 16, 2018. The breach compromised personal data of approximately 380,000 customers and service applicants, representing 10.5% of the company’s 3.6 million total customer records. The exposed information included names, identity card numbers, credit card details (for over 40,000 cards), telephone numbers, email addresses, and correspondence addresses, all dated to 2012. The database contained records from both former and existing customers related to residential broadband and international direct dialing (IDD) services. HKBN confirmed the compromised server housed inactive data and described the attack as sophisticated, though no threat actor claimed responsibility or communicated demands. The company reported the incident to police on April 17 through the Cyber Security and Technology Crime Bureau and notified Hong Kong’s Privacy Commissioner, Stephen Wong Kai-yi, who initiated a compliance review due to the breach’s scale. Affected customers received email and SMS alerts, with credit cardholders advised to monitor billing statements. HKBN collaborated with banks to contact cardholders if direct communication failed and implemented immediate measures to prevent similar attacks, asserting no other databases were compromised.
The investigation revealed the attacker infiltrated a server storing historical customer records that remained online despite containing outdated information. HKBN emphasized the incident was isolated and did not disrupt ongoing operations. Police launched an investigation but disclosed no suspects or origin of the attack. Industry experts criticized HKBN’s data retention practices, with Francis Fong Po-kiu of the Hong Kong Information Technology Federation calling the breach negligent and questioning whether inactive databases received equivalent security protections as active systems. Legislative Council member Charles Mok further challenged HKBN’s decision to maintain a six-year-old inactive database on an accessible server, particularly noting the unnecessary retention of payment information. The company maintained it took the breach seriously but faced scrutiny over its compliance with data minimization principles and safeguarding of legacy systems. No additional technical details about the attack vector or duration of unauthorized access were disclosed publicly.