
Latest News
12 Feb 2025
AI Governance Status - HK / Mainland China CAC / EU AI Act
https://www.tannerdewitt.com/artificial-intelligence-regulatory-landscape-in-china-and-hong-kong/
https://digital-strategy.ec.europa.eu/en/policies/regulatory-framework-ai
https://www.mfa.gov.cn/eng/wjbzhd/202412/t20241218_11497479.html
HK AI regulation - adopted a context-based approach. Regulators (PCPD) have published regulations & guidelines within existing frameworks in the development, supply and use of AI systems in HK.
China GenAI Regulation - Released on Sep 14, 2024, by the Cyberspace Administration of China (CAC) aims to standardise the labelling of AI-generated content to safeguard public interests and protect the rights of citizens, organisations, and legal entities.
The European AI Office, established in Feb 2024 within the Commission, oversees the AI Act’s enforcement. The AI Act entered into force on 1 Aug 2024, and will be fully applicable 2 years later on 2 Aug 2026. It sets out a clear set of risk-based rules to measure guarantee safety, fundamental rights and human-centric AI, and strengthen uptake, investment and innovation in AI across the EU.
8 Feb 2025
Google Starts Tracking All Your Devices In 10 Days
Republished on February 8th with new analysis into Google’s tracking cookie replacement and implications for Chrome’s 3 billion users.
While there’s no agreed end-date to tracking cookies, Google has teased a one-click solution for users to stop being tracked. Think of this as its equivalent to App Tracking Transparency deployed by Apple. Google doesn’t need tracking cookies itself. It almost certainly knows who you are because you hold one of its accounts.
4 Feb 2025
Meta Confirms WhatsApp Hack—Act NowTo Stay Safe
Meta has confirmed that a zero-click, no-interaction required hacking attack has impacted users of the WhatsApp secure messaging platform. Meta has not confirmed where they were located geographically although it is believed they were from more than 20 countries. Those users were compromised by spyware from an Israel-based software company called Paragon Solutions. Meta has issued a cease and desist letter to Paragon and is exploring further legal avenues. Paragon, meanwhile, is yet to comment.
3 Feb 2025
2025 Feb-Mar PCPD Professional Trainings
12 Feb, 2:15–5:15pm, Face-to-Face - Data Protection in Human Resource Management
26 Feb, 2:15–5:15pm, Online - Data Protection in Direct Marketing Activities
5 Mar, 2:15–5:15pm, Online - Recent Court & Admin Appeals Board Decisions
12 Mar, 2:15–5:15pm, Online - Data Protection in Banking/Financial Services
19 Mar, 2:15–5:15pm, Face-to-Face - Data Protection & DAR
12 Feb - Professional Workshop on Data Protection in Human Resource Mgt
Key take-aways:
• A thorough understanding of the requirements of the PDPO and the Code of Practice on Human Resource Management when handling employees’ personal data in the entire employment process from cradle to grave
• How to properly handle Data Access Requests
• How to tackle employees’ personal data privacy issues arising from COVID-19
3 Feb 2025
202411 PCPD Data Breach Incident Trends and Sharing (in Chinese only)
Presentation in Chinese only.
Additional info:
https://www.hkcert.org/f/report/912892/916161/2024Q3%20HK%20SecurityWatchReport%20(Chinese).pdf
https://www.infosec.gov.hk/tc/knowledge-centre/data-breach
27 Jan 2025
Official Receiver's Office Lost 7 Boxes of Backup Tapes Containing 76,000 Personal Information
Seven cassettes of tapes were lost during the transportation from the Immigration Tower to the Queensway Government Offices on December 23 2024 in accordance with the recovery and backup procedures. The incident has been reported to the relevant authorities, including the Hong Kong Police Force, the Office of the Privacy Commissioner for Personal Data, the Security Bureau and the Digital Policy Office. PCPD received a notification of the data breach incident on 24 January and had initiated an investigation into the incident in accordance with established procedures.
27 Jan 2025
PowerSchool (education technology student info system) hack - 62M students_9M teachers affected
In late December 2024, an unidentified threat actor used stolen credentials to access its PowerSchool Student Information System (SIS) platform. The information grabbed included names, postal addresses, grabbed in some districts Social Security numbers (SSN), personally identifiable information (PII), medical information, and grades.
24 Jan 2025
PCPD Investigation Findings on the Data Breach Incident of Oxfam (refer to news posted dated July 29 2024)
Last news posted on July 29 2024-Oxfam HK revealing it suffered cyberattack
PCPD report - The investigation revealed that over 330 GB of data was exfiltrated potentially affected around 550,000 data subjects. Below deficiencies of Oxfam contributed to the occurrence of the Incident:
Outdated Firewalls which contained critical vulnerabilities;
Failure to enable multi-factor authentication;
Lack of critical security patches of servers;
Ineffective detection measures in the information systems;
Inadequacies of the security assessments of information systems;
Lack of specificity of its information security policy; and
Prolonged retention of personal data.
23 Jan 2025
Data breach fines should not be too high or too low
The government says it will look at how big the fines should be for companies that breach data protection laws to make sure they are acceptable to firms, while still having a deterrent effect.
LCQ2: Prevention of personal data breaches and financial crimes
https://www.info.gov.hk/gia/general/202501/22/P2025012200305.htm
Subsequent to the briefing for the Panel on Financial Affairs of the Legislative Council in October 2024, the Government is currently drafting the legislative amendments and will continue to engage the PCPD and other stakeholders to ensure that a balance is struck between fighting against financial crime and safeguarding personal data privacy in the legislative amendments.
17 Jan 2025
PCPD Tips to Prevent Fraud - Enquiries Soar by Over 40% in 2024
PCPD received 1,158 enquiries relating to suspected personal data frauds in 2024 (793 in 2023); including
Fraudulent Recruitment Advertisements Scams
Scams Using Instant Messaging Applications (Apps)
Scams by Counterfeit Customer Service Agents/Online Auction Platforms
SMS/Email Scams
Telephone Scams
Scam Videos Using Artificial Intelligence (AI) Deepfake Technology
Scams on Social Media Platforms
Tips
Be vigilant
Authenticate the identity of callers
Keep an eye on your accounts and transaction records
Password protection
Smart use of social media and instant messaging apps
Fraud prevention information
2 Jan 2025
PCPD shared six tips on fraud prevention with the elderlies
The Volunteer Team of the PCPD visited St. James’ Settlement Wan Chai District Elderly Community Centre on 20 December and organised a Christmas fraud prevention gathering for around 200 elders. The event aimed to enhance the elderly’s awareness of fraud prevention in a lively and joyful way.
Powerpoint in Chinese only - https://www.pcpd.org.hk/english/news_events/media_statements/files/20241220_PC.pdf
27 Dec 2024
Japan Airlines System Hit by Cyber Attack
Japan Airlines (JAL) got attack, which began at 7:24 AM local time , targeted the airline’s internal and external network equipment, leading to system malfunctions that have impacted communication and operational processes.
JAL is the nation’s second-largest airline, reported a significant cyberattack on its systems early Thursday morning, causing disruptions to both domestic and international flight operations.
In 2022, a similar attack disrupted operations at a Toyota supplier, halting production at domestic plants for an entire day. More recently, in June 2024, the video-sharing platform Niconico suspended its services due to a large-scale cyberattack.
10 Dec 2024
PCPD enforcement notices on “Blind” Recruitment Advertisements Posted on OnlineJobs DB
PCPD has served enforcement notices on JobsDB and 3 recruiting organisations, directing them to take measures to remedy the contraventions and prevent recurrence and issued an advisory letter to each of the remaining five organisations.
PCPD call upon other operators of online recruitment platforms to:
Beware of anyone using Blind Ads to perpetrate frauds or collect personal data by unfair means; and
Carefully review recruitment advertisements received to identify Blind Ads and avoid publishing the same in order to protect the personal data privacy of members of the public.
The PCPD reiterated that Blind Ads may be used as an unscrupulous means to collect personal data and may be misused by swindlers to collect personal data for fraudulent activities. When job seekers are unable to ascertain the employers’ identities, they should check and verify the information contained in the Blind Ads carefully and should not respond to the Blind Ads arbitrarily and submit their personal data.
9 Dec 2024
Privacy Commissioner confirms data breach affecting 17,000 individuals by EMSD
PCPD has uncovered a significant data breach involving EMSD, affecting over 17,000 individuals who were subject to 14 compulsory testing during the pandemic from March to July 2022, including names, addresses, identity card numbers, and phone numbers.
This incident highlights four major deficiencies in the EMSD’s handling of personal data.
1. Lack of written policies on the retention of personal data collected in the RTD operations.
2. Failure to make unequivocal request to the contractor for deletion of the relevant data.
3. Failure to take the initiative to delete the personal data involved.
4. Failure to properly follow up with the contractor on the deletion of data.
Investigation report: https://www.pcpd.org.hk/english/enforcement/commissioners_findings/files/r24_06502_e.pdf
6 Dec 2024
Deloitte UK Hacked – Brain Cipher Ransomware Group Allegedly Stolen 1 TB of Data
Notorious ransomware group Brain Cipher has claimed to have breached Deloitte UK, allegedly exfiltrating over 1 terabyte of sensitive data from the professional services giant.
Brain Cipher is a ransomware group that emerged in June 2024, quickly gaining notoriety for its cyberattacks on organizations worldwide. Notably, it was responsible for a significant attack on Indonesia’s National Data Center, which disrupted services for over 200 government agencies, including immigration and passport control.
According to statements posted by Brain Cipher, the attack has exposed critical vulnerabilities in Deloitte UK’s cybersecurity infrastructure.
2 Dec 2024
PCPD and HKPC Jointly Release “HK Enterprise Cyber Security Readiness Index and AI Security” Survey
The PCPD and HKPC jointly released the results of the “HK Enterprise Cyber Security Readiness Index and AI Security” survey on 21 November. The “HK Enterprise Cyber Security Readiness Index” has increased by 5.8 points to 52.8 points (maximum being 100 points) compared with last year. The index comprises four areas including “Policy and Risk Assessment”, “Technology Control”, “Process Control” and “Human Awareness Building”.
Full survey: https://www.pcpd.org.hk/english/resources_centre/publications/surveys/files/AISecuritySurvey2024.pdf
HKPC’s “Phishing Defence Services”: https://www.hkpc.org/en/our-services/digital-transformation/cyber-security/phishing-defence-services
21 Nov 2024
Fintech For 45 Of 50 Top Banks Confirms Data Breach
Finastra, a global leader in financial technology that serves 45 of the world’s top 50 banks, has confirmed a major data breach impacting its internal file transfer system SFTP. The London-based firm, which facilitates vital banking and wire transfers for over 8,100 financial institutions worldwide, detected the breach on Nov. 7.
The breach targeted Finastra’s internally hosted Secure File Transfer Platform, or SFTP, which was exploited using stolen credentials—essentially, a username and password.
19 Nov 2024
Facebook Data Breach Fallout—Millions May Receive Compensation
Facebook's ongoing privacy struggles, a German court has ruled that users affected by the massive 2019 data breach can seek compensation without proving specific damage, as reported by Bloomberg. This ruling represents a meaningful shift in how tech companies may be held accountable for data protection failures.
The 2019 breach exposed the personal information of 533 million Facebook users across 157 countries through a technique known as "scraping." The scope of exposed information was extensive, including full names, phone numbers, locations, birth dates, email addresses and biographical information.
12 Nov 2024
Amazon confirms employee data breach after vendor hack
Amazon confirmed a data breach involving employee information after data allegedly stolen during the May 2023 MOVEit attacks was leaked on a hacking forum. The threat actor Nam3L3ss, published over 2.8 million lines of Amazon employee data, including names, contact information, building locations, email addresses, and more.
Amazon spokesperson Adam Montgomery confirmed Nam3L3ss' claims, adding that this data was stolen from systems belonging to a third-party service provider.
Nam3L3ss has also leaked the data from twenty-five other companies. However, they say some of the data was obtained from other sources, including ransom gangs' leak sites and exposed AWS and Azure buckers.
5 Nov 2024
Personal data of 148,000 people leaked in breach at two HK hearing centres
Widex Hong Kong Hearing and Speech Centre and subsidiary Starry Hearing and Speech Centre say they were among outlets suffered a ransomware attack on July 5 that had encrypted their internal system data and impacted their applications.
The Office of the Privacy Commissioner for Personal Data estimated on Nov 4 that about 148,000 customers and 30-50 current and former employees had been affected.
Widex is a Denmark-based company that was founded in 1956 and specialises in hearing aids and related services. Its Hong Kong branch was established in 1986 and is one of the first private institutions to offer hearing and speech therapy services in the city.