6

PCPD News

私隱專員公署通訊

•

Issue no. 30

專題報道

Cover Story

佰邦達是否已適時回應

iOS 7

會帶來的轉變

Whether BBDTek had promptly responded to the change in the operating environment of mobile devices

佰邦達的解釋

BBDTek’s Defence

公署意見

PCPD’s Comments

•

在

2013

年

9

月

11

日之前一直未知悉蘋果公司發出任何有

關流動操作系統變更或更新的通知或消息

•

直至蘋果公司於

2013

年

9

月

11

日對外公告

iOS7

將於

2013

年

9

月

18

日正式推出，他們才首次獲得有關資訊

•

他們在

2013

年

9

月才登記參與

iOS

開發商計劃，錯過了蘋

果公司較早前給予其已登記的程式開發商有關推出

iOS7

的

電郵通知

• It was unaware of Apple Inc.'s notification or news in

relation to the changes or updates of the mobile operating

system until 11 September 2013.

• It only registered with the iOS Developer Program in

September 2013 and would not have received relevant email

notification from Apple Inc.

•

佰邦達應緊貼蘋果公司的消息及最新科技資訊

•

蘋果公司已就

iOS7

推出時間及有關

MAC

位址的變更向程式開發商給

予充足的通知。佰邦達作為專門從事程式開發的科技公司，這不知情

的解釋令人難以置信

•

即使如此，佰邦達仍有足夠時間（由該日至

iOS7

正式推出尚有一星期）

採取行動，更新程式以防資料外洩

• BBDTek should have kept abreast of the news and technology updates

from Apple Inc.

• Apple Inc. had given ample notice to all app developers of when

iOS7 would be introduced and what the changes in relation to

MAC address were. It is inconceivable that BBDTek, as a technology

company specialising in app development, was unaware of Apple Inc.’s

notification or news.

• iOS7 was launched a week later on 18 September 2013, there was still

time for BBDTek to take steps to prevent the data breach.

1.

媒體存取控制位址（

"MAC

位址

"

）是編配予網絡裝置的獨一無二的識別碼，以促成網絡裝置通訊之用。此位址通常由網絡裝置製造商編配，而存在於所有流動電

腦裝置例如智能電話中。

A media access control address ("MAC address") is a unique identifier assigned to a network device to facilitate its communications in the network. It is

assigned by the manufacturer of a network device and exists on all mobile computing devices such as a smartphone.

字，而不是披露真正的

MAC

位址。

由於佰邦達沒有就該改動採取任何相應

的調整，於

2013

年

9

月

19

日起（香港時

間），每當非會員在

iOS7

版本的流動裝

置進行交易時，

iOS7

均會以相同的虛假

MAC

位址回應，所有交易均因此被視為

由同一個人作出。當非會員以運行

iOS7

版本的流動裝置預訂機票或查詢訂購紀

錄時，俠客行在裝置的螢幕上不單顯示

他的紀錄（訂購紀錄及個人資料），還

會顯示其他非會員（同樣使用運行

iOS7

版本的流動裝置）的個人資料。直至事

件於

2013

年

9

月

25

日被揭發為止，共

有六名顧客的個人資料因這方式而外洩

予其他非會員。

An investigation report of the PCPD

r evea l ed t he l eakage o f pe r sona l

data of the customers of an airline

services company, HKA Holidays

Limited ("HKA Holidays") through

"TravelBud" , a mobile application

( " app " ) r unn i ng on iOS p l a t f o rm.

This stems from the failure of the app

maintenance contractor, BBDTEK

Company ("BBDTek"), in responding

to the new privacy protection feature

of iOS7 which blocked the reading

by apps of MAC address

1

as a device

identifier. HKA Holidays as the data

user has contravened Data Protection

Principle ("DPP") 4(1) in Schedule 1 to

Ordinance.

TravelBud is a travel assistant app

providing online services to mobile

device users such as flight ticket

r e s e r v a t i o n a n d p u r c h a s e . Fo r

reservations for the first time, both

members and casual customers had to

input the passenger's personal data (full

name, gender, date of birth, identity

card number or passport number) and

a contact person's personal data (name,

telephone number and email address).

For subsequent transactions, casual

customers were recognised by the MAC

address of the mobile device with the

app installed.

On 18 September 2013 (US time),

Apple Inc. launched its new mobile

operating system iOS7 which, for

reason of privacy protection, would

block the reading by apps of MAC

address as a mobile device identifier.

In response to apps asking for the MAC

address, iOS7 would provide a fixed

number instead of disclosing the true

MAC address.

A s BBDTe k t o o k n o a d j u s t me n t

action to this change of MAC address

behaviour, all casual customers making

t rans ac t i ons unde r iOS7 f r om 19

September 2013 (Hong Kong time)

onwards were identified as one person

based on the same fictitious MAC

address. As a result, in response to a

casual customer attempting to reserve

or purchase a flight ticket or make an

order history enquiry using a mobile

device operating on iOS7, TravelBud

would show on the screen of the

mobile device not only his records

(order histories and personal data) but

also those of all other casual customers

who had made transactions through

TravelBud under iOS7. There were six

affected customers whose personal

data was leaked to other non-members

in this way before the incident was

identified on 25 September 2013.