A security breach at one of Hong Kong’s largest online shopping platforms last month led to the unauthorised access of customer information such as delivery addresses, recipient names and contact numbers.

Hong Kong Technology Venture Company Limited (HKTV), HKTVmall’s parent company, said on Friday it had detected “abnormal and suspicious activities” in its computer systems on January 26 as servers located in other Asian regions gained unauthorised access to customer information on its delivery platform.

“A small portion of the 4.38 million registered customer information at HKTVmall was accessed,” it wrote in a statement.

Investigation of the breach at HKTVmall showed affected customer information could include passwords, recipient names and delivery addresses.

“HKTV has immediately contained the event and conducted a thorough investigation. It has since engaged one international and one local leading cybersecurity firm on January 27, 2022 to conduct investigation, and to further enhance HKTVmall’s robust network and system security measures in addition to the current 24-hour network security monitoring.”

It added that there was no evidence of financial loss or misuse of customer data, while credit card information and order details were untouched.

HKTVmall is one of the city’s most popular online retailers. In January, it handled nearly HK$700 million (US$89.9 million) worth of purchases, processing a daily average of about 47,400 orders.

Based on its investigation, it concluded that the affected customer information might include names of account holders, encrypted and masked login passwords, email addresses, recipients’ names, delivery addresses and contact numbers for orders placed between December 2014 and September 2018.

The date of birth, recipients’ names and email addresses for HKTVmall accounts linked to Facebook accounts and Apple ID might also have been accessed.

HKTV promised it would take responsibility for any unauthorised purchases made as a result of the data breach.

Its vice-chairman and group CEO Ricky Wong Wai-kay apologised on behalf of the company.

“We hereby express our sincere apology to the affected customers,” he said.

“Upon discovery of such an incident, the group management, our technical department and the two cybersecurity firms made continuous efforts to investigate and strengthen system security, and will make full effort to prevent further attacks.”

The company said it had implemented measures to ensure network security and reduce vulnerabilities. It had launched a review to limit the amount of client data that would be collected and retained.

It also reported the breach to police and the Office of the Privacy Commissioner for Personal Data.

Francis Fong Po-kiu, honorary president of the Hong Kong Information Technology Federation, said although only a small portion of the information was involved, there might be tens of thousands of accounts based on the large number of customers using the platform.

“As the passwords are all encrypted, they probably will not be leaked,” he said.

“The biggest problem is that some hackers may pose as staff from other companies and call the affected customers. By stating the customers’ account names or personal information such as phone numbers and addresses, they may lure the customers into providing passwords or verification codes.”

He urged consumers to be vigilant about such calls or emails. Users should also consider changing the passwords of their accounts on the platform, Facebook or Apple ID and enabling two-step verification as a precaution, he added.