Case Studies

Search Case Studies

All Areas of Concern

Search Case Studies

All Areas of Concern

Valuable digital information demands protection

Trades / Industries:

A sales supervisor at a telecommunications company was given easy access to the central database of telephone subscribers.   A friend put him in contact with a debt collector, who offered him HK$80 to HK$100 to retrieve the personal data of each individual telephone subscriber.   The sales supervisor accepted the deal and regularly faxed the requested information to the debt collector.   In 26 months, he received a total of over HK$30,000 through 18 deposits made into his bank account.


Case Analysis

Divulging information to unauthorised parties for personal gain is a criminal act under anti-corruption law.  The sales supervisor had committed Section 9 of the Prevention of Bribery Ordinance.  Leaking customers’ personal data is also a breach of the Personal Data (Privacy) Ordinance and can expose the company to damaging lawsuits.


In a case of this kind, a great deal of time was usually required in identifying the suspect during the investigation, because the client database was open to many staff members for reasons of operating efficiency.  If no security measures were in place to control the retrieval of information, innocent staff would be  unhappy to find that they were suspected of the illegal act when investigation was required.  Besides, some staff members like the sales supervisor in this case might consider it a trivial matter to trade client information for some extra cash, especially when the information was so easily accessible.  


Where important data such as customer details, business plans, product designs, etc., are kept in digital formats, this becomes an area that is vulnerable to corruption and related crimes.  Managers must therefore be vigilant in maintaining the security of valuable information. Irrespective of the format in which it is stored, managers should classify information into different security levels according to the degree of sensitivity and confidentiality.   This helps prevent unauthorised access.


It is crucial that managers inform staff clearly of the serious consequences, both for themselves and for the company, that can result from the unauthorised disclosure of company information. The human resources policy of the company should be regularly reviewed and constantly enforced to provide the necessary deterrents against misconduct, e.g. any breach will result in dismissal and report to the relevant law enforcement agencies.

Back To Top