Skip to content

Case Notes

Case Notes

This case related to DPP4 - Security of personal data

Case No.:2018DB02

Travel agencies’ customer databases being hacked – DPP 4 – security of personal data

Background

Several travel agents were cyber-attacked and got their databases hacked during the year. In one of the cases, a travel agency’s customer database was encrypted by a hacker who demanded a ransom in exchange for decryption key. The database contained personal data of about 200,000 customers who had made purchases with the travel agency since March 2014. Personal data involved included customers’ names, Hong Kong Identity Card numbers, passport numbers, phone numbers, email addresses, credit card information, mailing addresses and/or purchase histories. The travel agency refused to pay the ransom and reported the incident to the Police. The PCPD initiated a compliance check after noting the incident from the media.

Remedial Measures

After the incident, the travel agency engaged two cybersecurity companies to investigate how the systems had been compromised and to advise how to strengthen its cybersecurity respectively. To reduce the risk of cyberattack, the travel agency enhanced its overall cybersecurity by enabling Web Application Firewall, adopting two-factor authentication for remote access, encrypting the customer database and creating an offline backup, conducting penetration testing and vulnerability scanning regularly, etc.

The travel agency also reviewed its data collection and retention practices. It ceased collecting credit cards’ CVV numbers and Hong Kong Identity Card numbers, and shortened the retention period of credit card numbers from one year to six months to reduce the risk of leakage of sensitive personal data.

(Uploaded in July 2022)


Category : Provisions/DPPs/COPs/Guidelines : Topic/Subject Matter :