Michael Steemson

A Letter from Hong Kong, July 2008:  Caldeson Principal Michael Steemson views leaky banking and public sector records security in Hong Kong, the teeming, capitalist jewel in China’s socialist crown.  It felt like being back home.  The feature was first published in the RMAA journal, iQ, November 2008, Vol 24, No 4, pp 11-13.

by Michael Steemson,

Principal, The Caldeson Consultancy

______________

Fleeing back to a cool Antipodean winter from a British summer fierce with political punch-ups over lost government records, we hit Hong Kong in the middle of its own heat wave.  The teeming ex-British colony is sweating in the global baking and  the radiance of “the beautiful games”, its Beijing bosses’ Olympics. 

Day three of mass heat, humidity and humanity: the South China Morning Post headlines look so familiar: “HSBC loses tape of 25,000 client calls” .  Day seven it happens again:  “Data leaks point to Immigration Department”. Talk about deja vu! 

In the decade since the British lease ran out on this, its last valuable dependency, Hong Kong has changed up with a burst of apparent fabulous fortune – new and improved public utilities, extensive land reclamation and bigger and bigger tower blocks.  How much of the new wealth is real is a matter of media and mogul conflict. 

Hong Kong flag

Other changes: The city streets are tidier because of new, swingeing HK$1,500 (AU$200) fines for littering, and feeding the feral pigeons.  The royal crests on policemen’s cap badges have been replaced by the region’s new symbol, a representation of the native hibiscus flower.  That’s also the centre of the “special administrative region’s” sad little red flag that replaced the blue ensign of British yore. 

What has not changed is more interesting.  The swarming traffic still drives on the left, unlike the rest of China.  The city’s huge, double-decker buses and crowded, dinky little wood-frame trams still rock through streets called Queensway and King’s Road to places like Stanley, Soho and Aberdeen.  There are still underground Mass Transport Railway (MTR) stations called “Admiralty” and “Prince Edward”.

British Hong Kong Persists

The Queen’s profile still appears on some coins of the realm and the Royal Hong Kong Yacht Club still flourishes in Repulse Bay, the latter named after a Royal Navy battleship.  Major hospitals are still called after British royals, Queen Elizabeth, Princess Margaret, and Queen Mary, some of which had had their own patient records losses earlier in the year.   And, of course, the thronging Victoria Harbour between Hong Kong Island and its huge suburb, Kowloon, is still named after another long-lived British monarch. 

So, it may not be too surprising to find the latest British disease is also there in spades:  doleful, porous data security.  News of such failings in Chinese government agencies is  rare, which makes the Post’s revelation particularly extraordinary.  Oriental bureaucrats are assuredly no better at records security than any others.  But their media control is usually watertight.

So, when one of the region’s highest-profile, private sector giants and a public sector agency both get caught with records management failures, neither of them actually their first offences this year, that’s big news for Hong Kong and its wicked stepmother, Beijing.   

The Hong Kong and Shanghai Banking Corporation, the HSBC, which with some justification calls itself “the world’s local bank”, admitted in mid-year ¹ that a security contractor had lost one of 55 digital tapes being carried from a provincial service centre to Hong Kong.   The acknowledgement that such data is still transported physically from A to HK, says a lot about the region’s historic business culture residues and paucity of 21^st C. infrastructure.

The tape contained recordings of telephone conversations with 25,000 clients.  The South China Morning Post, Hong Kong’s leading English-language daily, reported that the calls “mostly related to credit card inquiries (and) business Internet banking for commercial banking customers”; highly sensitive material if finders could de-code it.

Golden Goose for E-Raiders

The massive HSBC bank is so commercially vital to the region that the Post got the number two boss on the Hong Kong Legislative Council’s security panel, James To Kun-Sun, to comment.  He warned that “the loss was a serious one and affected callers’ bank accounts could be at risk”.  The conversations “were usually loaded with callers’ personal data given during identity checks and could be used to act against their accounts if stolen”, Mr To said.

Beijing’s own English-speaking newspaper, China Daily, got in on the story reporting HSBC’s wide-eyed assurance that “specialised hardware and software are needed to access the recordings so the risk of date being leaked and information stolen was deemed low”.  Yeah, right!   In the digitally-savvy East, that’s a problem for the cyber-sinners? 

Both papers gleefully recalled the bank’s earlier loss of a whole computer server, containing account details of somewhere between 55,000 and 159,000 customers, depending on which bank statement to believe, when another branch was being renovated; a Midas touchstone for Internet thieves if they could get into it.  The Post said the bank “drew fierce criticism” over the breach and its Hong Kong boss later apologised.

Four days after the new HSBC breach, the Post revealed the Government agency failure: an Internet file-sharing program showing textual memos and minutes with names and other personal details on immigration offences by foreign domestic workers.  It was, said the Post, the Immigration Department’s second leak in three months. 

In the earlier leak, 27 files, most marked “confidential” had been found on the same Internet site identifying individuals, travel documentation and an internal report on mistakes made by immigration officers.  To make amends after that disclosure, the Immigration Department’s chief signed a formal undertaking with the Hong Kong Privacy Commissioner making 10 changes to the department’s security procedures.   

Following the second slip, the best answer the department could come up with was a lame “there are no signs our computer system has been hacked”. 

It all closely echoed the earlier British recordkeeping scandals that included lost digital data disks and a set of secret Ministry of Defence Iraq War intelligence papers and assessments of Al-Qaeda’s vulnerabilities left on a railway carriage seat and handed to BBC Radio by a “concerned member of the public”. 

Bromides and the Usual Suspects

Home Secretary Jacqui Smith MP

British Home Secretary Jacqui Smith was questioned excitedly about those losses by Opposition MPs in the House of Commons and came up with the usual suspects and standard political bromides: middle management failings; policy reviews of data security systems. 

As if they weren’t already perfectly well set out.  The UK’s own National Archives offers extensive, fully comprehensive recordkeeping guidance and public sector rulebooks bristle with security regulations. 

The UK media joined the fun with dark suggestions of civil service security apathy; perish the thought, but probably the root cause. 

That was no comfort to records guardians, like those attending the year’s Silver Jubilee conference of the Records Management Society of Great Britain in April.  They had no doubt where the fault lies: top management ignorance, perpetrated by subordinates reluctant to rock budgeting boats and jeopardise high value work-place bonuses.

In Hong Kong, the media was soon taking the mickey, too.  South China Morning Post City columnist, Ben Kwok, discovered an HSBC subsidiary company promotion trumpeting: “At HSBC Private Bank we understand that things do change, including what looks safe today.”  Columnist Kwok gibed:  “You can say that again. We hope the advertising copywriter wasn’t trying to be funny because we doubt (the clients involved) will get the joke.” 

It will probably be a long time before anyone admits responsibility or the extent of damage in either London or Beijing although, in September, the Hong Kong Government earmarked HK$35 million (AU$5 million) to beef-up its hospital patient records security.  While worldwide chief executives continue to ignore basic records management, State and commercial secrets will continue to leach into the hands of the ungodly to the momentary embarrassment of corporation captains and monetary burden of the poor bloomin’ taxpayer/shareholder.

Mike Steemson and Hong Kong's Victoria Harbour

Endnote

Tags: China, records, security