Hong Kong Broadband Network Exposes Data of 380,000 Customers

The personal data of 380,000 customers of Hong Kong Broadband Network (HKBN), has been hacked, according to a statement from the company.

HKBN, the city’s second largest fixed-line residential broadband provider, said that the data, which was in an inactive customer database with details on customer and service applicant records from 2012 was accessed by an “unauthorized person” on Monday.

Compromised information included names, email addresses, correspondence addresses, phone numbers, identity card numbers and some 43,000 credit card details.

"An Isolated Incident"

HKBN has claimed that it has taken severe measures to contain the breach, and to examine its systems for possible other data leaks.

“Upon identifying the unauthorized access, the Group has immediately conducted a thorough internal investigation and engaged an external network security consultant to conduct a comprehensive check of all systems and servers,” the company said in an announcement.

So far, HKBN believes that this is “an isolated event” and that “it will not have any material impact on the Group’s business and operation.” That said, the leak of customer’s PII, including payment card info can do untold damage to brand reputation, and could possibly result in lawsuits.

Online Databases are a Common Attack Vector

Details on the attack vector were scarce, with HKBN vaguely telling local media that the attackers used “advanced skills” to access the database.

While we don't know the nature of the database accessed in this instance, misconfigured and unsecured online databases have become a common attack vector for bad actors in recent years. Amazon S3 buckets are a particularly popular target, as a misconfigured bucket is often accessible to anyone with a free Amazon account and the right URL.

Hong Kong’s Privacy Commissioner, Stephen Wong has said he will demand an explanation from HKBN over why inactive customer data was stored on an online server for years.