Latest News

• AI Framework - please visit https://dpo.hku.hk/pcpd-ai-framework

• CCTV guidelines - https://dpo.hku.hk/cctv-personal-data-protection-guidelines

• Cloud Privacy & Vendor evaluation - https://dpo.hku.hk/privacy-mgt-program, item 2.6 - https://its.hku.hk/download/?wpdmdl=57516

RSVP - https://hkuems1.hku.hk/hkuems/ec_hdetail.aspx?ueid=100418

Pearson suffered a cyberattack, discovered that an unauthorized actor gained access to a portion of their systems but confirmed that the stolen data did not include employee information. Threat actors compromised Pearson's developer environment through an exposed GitLab Personal Access Token (PAT) found in a public .git/config file.

Pearson is a UK-based education company supporting schools, universities, and individuals in over 70 countries through its print and online services.

Pearson stated, "once we identified the activity, we took steps to stop it and investigate what happened and what data was affected with forensics experts. We also supported law enforcement's investigation. We have taken steps to deploy additional safeguards onto our systems, including enhancing security monitoring and authentication." 

To implement the policy direction from the “Two Sessions” to promote the “AI Plus” Initiative and the and the Hong Kong Innovation and Technology Development Blueprint promulgated by the Government of SAR, and to promote the safe and healthy development of AI in HK, the PCPD has begun a new round of compliance checks in February 2025, covered 60 local organisations across various sectors, including telecommunications, banking and finance, insurance, beauty services, retail, transportation, education, medical services, public utilities, social services and government departments.

Report can be downloaded - https://lnkd.in/dMM2dCVC
More details - https://lnkd.in/dmqVqxwX

The incident comes barely 48 hours after Co-op first disclosed it was experiencing a similar cyber attack that it also took proactive steps to mitigate, and less than a fortnight after M&S was forced to suspend multiple online services following an incident.

This lends weight to growing speculation that all three attacks may share a common link, originated through an unidentified third-party retail services partner in a supply chain attack.

"There must be a common thread across these retailers that has put them firmly in the crosshairs of cyber criminals. These aren’t isolated events, they are a wake-up call," said by 

Tim Grieveson, ThingsRecon.

Please register via QR code. Look forward to your participation!

Western Sydney University (WSU) announced two security incidents that exposed personal information belonging to members of its community.

WSU serves a student body of 47,000 and employs over 4,500 permanent and seasonal staff, operating with an annual budget of approximately $600 million.

1. concerns compromise of one of the University’s single sign-on (SSO) systems between January and February 2025. This breach has reportedly led to the unauthorized access of demographic, enrollment, and progression information for approximately 10,000 current and former students.

2. concerns a leak on the dark web of personal information belonging to members of the University’s community. Hackers published the data on Nov 1, 2024 and WSU only became aware of it on Mar 24 2025.

The UAE Cabinet has greenlit a groundbreaking initiative to launch the world’s first integrated AI-based regulatory intelligence system, designed to speed up and modernize the legislative process by up to 70%.

In a historic move, the UAE Cabinet, chaired by Sheikh Mohammed bin Rashid Al Maktoum, has approved the launch of the world’s first integrated regulatory intelligence ecosystem, marking a major leap forward in AI-powered governance.

https://www.pcpd.org.hk/english/resources_centre/publications/files/

guidelines_ai_employees.pdf (Eng)

https://www.pcpd.org.hk/tc_chi/resources_centre/publications/

files/guidelines_ai_employees.pdf (Chinese)

Privacy Commissioner’s Office Publishes Guidelines for the Use of Generative AI by Employees 

• Scope of permissible use of Gen AI: Specify the permitted Gen AI tools, the permissible purposes of use and the applicability of the policies or guidelines;

• Protection of personal data privacy: Provide clear instructions on the types and amounts of information that can be inputted into the Gen AI tools, the permissible purposes for using the output information, the permissible storage of the output information, the applicable data retention policy and other relevant internal policies to comply with;

• Lawful and ethical use and prevention of bias: Specify that employees shall not use Gen AI tools for unlawful or harmful activities, emphasise that employees are responsible for verifying the accuracy of AI-generated outputs through ways such as proofreading and fact-checking, and for correcting and reporting biased or discriminatory AI-generated outputs, as well as providing instructions on when and how to watermark or label AI-generated outputs;

• Data security: Specify the types of devices on which employees are permitted to access Gen AI tools and the categories of employees who are permitted to use Gen AI tools, require employees to use robust user credentials, maintain stringent security settings in Gen AI tools, and report AI incidents according to the organisation’s AI Incident Response Plan; and

• Violations of policies or guidelines: Specify the possible consequences of employees’ violations of the policies or guidelines, and refer to the PCPD’s “Artificial Intelligence: Model Personal Data Protection Framework” (Model Framework) for recommendations on establishing Gen AI governance structure and measures.

https://www.cac.gov.cn/2025-04/09/c_1745906286623776.htm - in Chinese only

On 9 April, China’s CAC issued a set of 𝗙𝗔𝗤𝘀 𝗼𝗻 𝘁𝗵𝗲 𝗖𝗵𝗶𝗻𝗲𝘀𝗲 𝗱𝗮𝘁𝗮 𝗲𝘅𝗽𝗼𝗿𝘁 𝗹𝗲𝗴𝗮𝗹 𝗿𝗲𝗴𝗶𝗺𝗲.

🛡️ 𝗦𝗰𝗼𝗽𝗲 𝗼𝗳 𝗿𝗲𝘀𝘁𝗿𝗶𝗰𝘁𝗶𝗼𝗻𝘀: Data export restrictions under Chinese laws apply only to ‘important data’ and ‘personal information’. This highlights the need for organisations subject to China’s data laws to classify any such data in their possession, in order to effectively address compliance requirements.

🔐 𝗥𝗲𝘀𝘁𝗿𝗶𝗰𝘁𝗶𝗼𝗻𝘀 - 𝗶𝗺𝗽𝗼𝗿𝘁𝗮𝗻𝘁 𝗱𝗮𝘁𝗮: By default, important data must be stored in China. Exporting important data requires going through a security assessment conducted by the CAC (ie a regulatory approval process) to ensure that the data export does not endanger national security or the public interest.

💡 𝗥𝗲𝘀𝘁𝗿𝗶𝗰𝘁𝗶𝗼𝗻𝘀 - 𝗽𝗲𝗿𝘀𝗼𝗻𝗮𝗹 𝗶𝗻𝗳𝗼𝗿𝗺𝗮𝘁𝗶𝗼𝗻: In contrast, exporting personal information is less restricted. In fact, there are no specific restrictions on non-CIIO organisations exporting non-sensitive personal information of fewer than 100,000 people in any one calendar year. However, exporting sensitive personal information (eg biometrics, financial or medical data) is restricted, as is the export of non-sensitive personal information of 100,000 people or more in any one calendar year. Depending on the transfer scenarios (sensitivity and volume), one of three mechanisms - security assessment, standard contract or certification - must be implemented.

✅ ‘𝗡𝗲𝗰𝗲𝘀𝘀𝗶𝘁𝘆’ 𝗳𝗼𝗿 𝗽𝗲𝗿𝘀𝗼𝗻𝗮𝗹 𝗶𝗻𝗳𝗼𝗿𝗺𝗮𝘁𝗶𝗼𝗻 𝗲𝘅𝗽𝗼𝗿𝘁: What is sometimes forgotten is the prerequisite that a data export of personal information must be ‘necessary’. The FAQs clarify that ‘necessity’ means the data export must directly relate to the processing purpose, have minimal adverse impact on the individuals, and adhere to the data minimisation and storage limitation principles.

🤝 𝗚𝘂𝗶𝗱𝗮𝗻𝗰𝗲 𝗳𝗼𝗿 𝗠𝗡𝗖𝘀: The FAQs also address the practical challenges faced by groups of companies in complying with China’s data export requirements. It suggests that a group’s parent company can apply for a security assessment or sign the standard contract on behalf of its subsidiaries, so as to reduce administrative burden. Additionally, the CAC is preparing the ‘certification’ mechanism, which will allow multinational groups to obtain a single certification from an accredited third party and eliminate the need for each group entity to sign and file separate standard contracts.

The different free trade zone in China can apply the relaxation rules on cross border data flow available in other free trade zone. In other words, companies in Shanghai Lin Gang Free Trade zone can also benefit from the relaxation rules available for companies in Beijing Free Trade Zone.

為協助機構在使用AI時可以更好地保障個人資料私隱，包括加強其AI管治和制定僱員在工作時使用生成式AI的內部政策或指引，個人資料私隱專員公署（私隱專員公署）舉辦是次研討會，以討論AI普及所帶來的私隱風險、分享《人工智能（AI）: 個人資料保障模範框架》中有關保障個人資料私隱的AI管治建議及最佳行事常規，以及介紹公署最新發表的《僱員使用生成式AI的指引清單》。

講者：

· 王雅媛女士 — 私隱專員公署助理個人資料私隱專員（合規、環球事務及研究）

· 鄧昭健先生 — 香港華為國際有限公司副業務總經理兼首席網路安全與隱私保護官

講座重點：

· 使用AI帶來的個人資料私隱風險

· 《人工智能（AI）：個人資料保障模範框架》的主要建議

· 介紹私隱專員公署最新發表的《僱員使用生成式AI的指引清單》的主要建議

· 分享開發及使用AI技術的良好私隱保障行事方式

· 分享企業如何在利用AI的優勢和保障個人資料私隱之間取得平衡

A lawsuit filed accused Oracle of failing to acknowledge a recent data breach. Oracle attempted to minimize the severity of the incident by describing the compromised system as a “legacy environment” that had been unused for eight years. The lawsuit specifically addresses a major security breach discovered in March that reportedly compromised 6 million records containing sensitive authentication-related data from Oracle Cloud infrastructure, potentially affecting more than 140,000 tenant databases.

On March 23, travelers at KLIA reported disruptions with flight information display systems, check-in counters, and other services. While KLIA operator Malaysia Airports Holdings Berhad (MAHB) initially confirmed a cyberattack "affecting certain computer systems," the company claimed that operations were not affected. In a speech two days later, Malaysian Prime Minister Anwar Ibrahim called the disruption "quite heavy" and said that a ransom demand for $10 million had been refused. 

While MAHB, which operates 39 airports across Malaysia, downplayed the impact of the attack, Ibrahim described it as a heavy burden on the operator and cited the ransom demand of $10 million during a March 25 speech marking the nation's 218th Police Day.

A hacker breached the GitLab repositories of multinational car-rental company Europcar Mobility Group and stole source code and some personal information belonging to up to 200,000 customers. The actor tried to extort the company by threatening to publish 37GB of data that includes backups and details about the company’s cloud infrastructure and internal applications.

Europcar Mobility Group is a subsidiary of Green Mobility Holding that operates the Europcar, Goldcar, and Ubeeqo brands with a diverse offering of compact cars, luxury vehicles, vans, and trucks. The company's customer base spread across 140 countries in Europe, North America, Asia, and Africa.

A total of 127,268 individuals were  affected by the Incident, which included 100,185 ICARD members, 27,069 Brooks  Brothers members, and 14 current and former employees of ImagineX, etc. The personal  data affected included the names, email addresses, telephone numbers, birth months, genders, and nationalities of the members, as well as the passport copies of the employees etc. The incident: ImagineX received a ransom note from a threat actor on 15  May 2024.

https://www.pcpd.org.hk/english/enforcement/commissioners_findings/files/r25_09623_e.pdf

Deficiencies contributed to the Incident:

1. Failure to delete temporary account timely after system troubleshooting

2. Use of end-of-support operating system

3. Ineffective detective measures for information systems

4. Insufficient security risk reviews and audits for information systems

Queen's Colleage emailed staff, students and parents about cyberattack. The email explained that the school's eClass system was hacked and student's violation records were changed with addtion of fake punishments under different teachers' names. eClass is a school management platform in Hong Kong used by over 800 schools. It helps with tasks such as tracking student performance and managing teaching materials.

The school has promised to review it's cybersecurity and implement new measures to protect student data. The incident highlights the growing vulnerability of educational institutions to cyberattacks.

As evidence continues to pile up, security providers warn customers to secure networks as they wait for official guidance following claims of a massive attack against Oracle Cloud.

A threat actor last week claimed to have stolen 6 million data records, including user credentials, from Oracle Cloud, which could affect more than 140,000 customers. After initially releasing strong denials, Oracle has been silent this week, while security researchers have compiled evidence backing claims of an actual attack.

https://www.techradar.com/pro/security/oracle-denies-data-breach-after-hacker-claims-to-hold-six-million-records

https://www.darkreading.com/cyberattacks-data-breaches/oracle-still-denies-breach-researchers-persist

Oracle this week steadfastly continued to deny an alleged breach of its Oracle Cloud environment even as some security researchers doubled down on their analysis suggesting otherwise.

According to local media Jizhishe, Far East Consortium (00035.HK) was hacked into its system and a data leak occurred, involving about 250GB of data dated Mar 5. The PCPD replied and confirmed that it had received the company's notification of the incident last Monday (17th). Information included 「EmailBackup],「Proj-KT6607-Kai Tak 6607 Vo],「Password.xlsx],「Login ID&PW」etc.

Lingnan University on Mar 11 discovered a significant breach in one of its information systems, leading to the leakage of thousands of internal documents. The incident has compromised the sensitive personal information of faculty, students, and former course applicants. Approximately 200 of these documents contained critical data, including names, photographs, personal contact details, identification card information, and financial, educational, and employment-related information.

The university stated that they are also committed to enhancing their internal network security measures to prevent similar incidents in future.

The PCPD concluded its investigation on Mar 12 2025, attributing the breach to the use of common modules in the system’s design, which inadvertently included excessive data fields.

A total of 109,002 individuals may have been affected, including 108,575 company directors whose HKID card numbers, passport numbers, and residential addresses were exposed. The breach was reported by the Companies Registry on April 19, 2024, after it identified a risk of personal data leakage in the e-Search Services of its e-Services Portal, following a system revamp launched in late 2023.

Given several security measures during system's revamp and the lack of evidence of unauthorized access, the PCPD found insufficient grounds to conclude that the Companies Registry had failed to take all practicable steps to safeguard personal data thus they are cleared of privacy violations.