Case Notes

Online food ordering records leaked to the Internet involving 62,539 customers – DPP 4 – security of personal data

Background

A citizen reported to the PCPD that the public were able to access the food ordering records and personal data of customers of a company, which provided food delivery services, by clicking the hyperlink of the company’s hypertext pre-processor posted on the Internet. The personal data involved in the incident included the names, addresses, telephone numbers and email addresses of 62,539 customers.

The company explained that the incident was caused by the incorrect setting of the access right of a folder stored in the server, which enabled unintended parties to access its customers’ personal data via the Internet. Immediately after the incident, the company rectified the access right of the folder, renamed and enabled password protection of the relevant system programme files so as to prevent unintended parties from accessing the company’s hypertext pre-processor by using the said hyperlink.

Remedial Measures

The company also took the following remedial actions to prevent recurrence of the incident:

1. Appointing a system developer to regularly inspect the server to ensure the correctness of the folder’s access right;
2. Shortening the retention period of the food ordering records to one day after the delivery, and compiling programmes to ensure that the ordering records would be erased timely; and
3. Replacing the existing computer system - Authentication function was included in the new computer system so that only authorised IP addresses or computers could access customers’ personal data stored in the new system.

(Uploaded in July 2022)