PCO Office of the Privacy Commissioner for Personal Data, Hong Kong imagebanner image
Privacy Policy StatementSearchSite DirectoryText Only VersionChinese  
image
About PCPD
image
The Ordinance
image
Review of the Ordinance
image
PCPD Activities
image
Information Centreimage
Privacy Zone for Youngsters
image
Publications and Videos
image
Enquiries and Complaints
image
Case Notes
image
Contact Us
image
Search Case Notesimage
image

Case Notes
Complaint & Enquiry Cases

 

 

Notes on Complaint & Enquiry Cases related to DPP4 - security of personal data

Case No.: 2003005

Internet security: randomly assigned instead of fixed reset password preferred when reactivating a lockout account - DPP4

The Complaint
A mobile phone service company provided an internet billing service to its customers through its website. The electronic bills, which contained customers' data including calling records, were password protected. In addition, a mechanism to deactivate internet access to an account after five unsuccessful logins was built in to preclude hacking. However, upon reactivation of the lockout account by request of the customer, the password would be automatically reset to a fixed number (e.g. 123456), which was applicable to all customers. This allowed a hacker to gain access to the account information by first deactivating an account with five unsuccessful login attempts to prompt the customer to make a lockout report to the mobile phone company and then logging in to the account with the fixed reset password before the customer ever changed the password. A complaint on the security pitfall on password control was lodged with the PCPD by a customer.

Findings by the Privacy Commissioner
DPP4 requires the phone company to take all reasonably practicable steps to guard against unauthorized access to its customers' data. Taking into account the sensitivity of an individual's calling records, the phone company's unvaried practice of resetting the password of a lockout account to a fixed number was considered insufficient to protect customers' data against possible intrusion as suggested above, despite the phone companyˇ¦s effort to remind customers via their system to change passwords periodically. There was nothing suggesting that it was not reasonably practicable for the phone company to allot a varied, rather than a fixed, password to customer when reactivating a lockout account. Eventually, the mobile service provider improved its system to have the password reset to a random number and the customer informed of the reset password via short message sent to his mobile telephone.

Back to top

  imageNotice/ Copyright 2001 Office of the Privacy Commissioner for Personal Data, Hong Kong. All rights reserved. Disclaimer