Hong Kong transit payment card operator Octopus has admitted selling the personal data of nearly two million customers to business partners.
According to local press reports, the firm has been paid HK$44 million over the last four and a half years by six companies, including Cigna Worldwide Life Insurance, for data that was used for marketing.
Octopus chief executive Prudence Chan initially denied that data had been sold but she has since backtracked in the face of fierce criticism from Hong Kong's privacy commissioner Roderick Woo, who has launched an investigation.
Octopus has now issued a statement saying it will no longer hand over customer data to merchant partners for marketing purposes. Chan says the company believes its policies are based on Hong Kong's Personal Data Ordinance but acknowledges customers concerns.
"To put their minds at ease, we believe the best way forward is to terminate all activities that involve the provision of customers' personal data to merchant partners for marketing purposes," she says.
Octopus, like London's Oyster system, has proved hugely successful since its launch in 1997 but has faced controversy before.
In 2007 it admitted wrongly deducting a total of HK$3.7 million from 15,270 customers over seven years because of a fault in its EFT system which resulted in funds being deducted from customers' bank accounts but not credited to their travel passes.