Octopus Card admits making money selling personal data to third parties

After weeks of denial, the issuer of Octopus cards in Hong Kong admitted it made HK$44 million in the past half decade by selling data from its card holders to third party partners. Prudence Chan, chief executive of Octopus Holdings, which owns Octopus Cards, has issued a “sincere apology” to affected cardholders. But who would ever believe such sincerity if the act itself is not an unintended mistake but a deliberate effort to make money. I guess the management behind the Octopus Cards is aware of protecting privacy issues in the lines of email unsubscribes and even before Facebook got heavily criticized for revising its privacy policies.

Chan admits that the data of 1.97 million customers were sold to six partners of the rewards schemes namely Octopus Rewards. As a result, each affected cardholder had been contacted for promotions an average of 1.7 times. This is in stark contrast from her earlier claims that her company never sold card holder data. From the moment her statements contradicted, Ms Chan already lost public trust, notably the holders of Octopus cards such as MTR travelers.

Maybe this is what we get from a company that controls basically every transaction we do involving smart cards every single day. Not even a privacy ordinance that punishes offenders is powerful enough to deter similar acts. Heck, if the maximum fine is HK$10,000 and six months imprisonment, many would still be tempted to violate the law in exchange for millions. As counterpart offenders, “merchant partners” are willing to pay for such information if it only means they will be able to target customers even more closely.

It’s unfair that while we pay to take an MTR ride, Octopus Cards shares our personal information to its so called partners for a fee without us benefiting from the deal. As a result, we may receive junk mail in our email inbox, get a random call from a try-hard telemarketer or our mailboxes filled with messages that offer irrelevant promotions. Should the MTR, as parent company of Octopus Cards, subsidize our trips to compensate this compromised personal information? Maybe that would not be enough, as many passengers would prefer to pay the full amount if it meant better security of personal data.

Cigna, a health insurance company and one if Octopus Cards partners, admits to possessing the personal data of 46,000 Octopus Card holders but its CEO Edward Kopp insisted that his company was provided with such data and did not buy it.

I am sure there are cardholders who don’t mind receiving offers from merchant partners, but the fact that data was exchanged between two parties without the consent of real owners already constitutes committing a crime.