top of page
dpo-bg3.jpg

Latest News

Cyberattack on Hong Kong’s Shun Hing Group affects data of 1 million people

6 Jul 2026

Cyberattack on Hong Kong’s Shun Hing Group affects data of 1 million people

The Office of the Privacy Commissioner for Personal Data said on Thursday that it had launched an investigation into the incident after receiving a data breach report from Shun Hing Group on March 23 (can also refer to earlier post in news in DPO website).


Personal information of more than 920,000 customers, including their names, addresses and email addresses, involved in breach.

PCPD July Professional Workshops-8 Jul DAR_22 Jul AAB

25 Jun 2026

PCPD July Professional Workshops-8 Jul DAR_22 Jul AAB

Data Access Request

There are stringent requirements for compliance with a DAR under the Personal Data (Privacy) Ordinance. Dealing properly and effectively with a DAR is a challenge for many organisations. This workshop will examine in details those requirements and offer guidance on the handling of a DAR.

https://www.pcpd.org.hk/english/education_training/organisations/workshops/workshop_outlines.html#3


Administrative Appeals Board

The Board is the statutory body that hears and determines appeals against the decisions of the Privacy Commissioner for Personal Data (“the Commissioner”) by a complainant or the relevant data user complained against. The High Court of Hong Kong deals with magistracy appeals against criminal offences committed under the Ordinance. This workshop (to be conducted by experienced lawyers from the office of the Commissioner) will examine some recent decisions which serve as legal authorities and practical examples in solving problems frequently encountered in compliance work.

https://www.pcpd.org.hk/english/education_training/organisations/workshops/workshop_outlines.html#15

[Join us on 30 June 2026] - PCPD-HKU Joint Data Protection Event - "The New AI Era: Data Protection & Cybersecurity in Higher Education" - 2nd Reminder with changes (first post on 11 May)

22 Jun 2026

[Join us on 30 June 2026] - PCPD-HKU Joint Data Protection Event "The New AI Era: Data Protection & Cybersecurity in Higher Education" - 2nd reminder

"The New AI Era: Data Protection & Cybersecurity in Higher Education" - first post on 11 May


Our distinguished speakers / panelist include:

  • Mr. Alex Chan, Assistant Privacy Commissioner, Office of the Privacy Commissioner for Personal Data (PCPD)

  • Mr. Raymond Lam, Chief Superintendent, Cyber Security and Technology Crime Bureau (CSTCB)

  • Mr. Otto Lee, Hong Kong Computer Emergency Response Team Coordination Centre (HKCERT)

  • Mr. Leonard Chan, MH, Founding Chairman, Hong Kong Innovative Technology Development Association (HKITDA)

  • Prof. S.M. Yiu, Professor, School of Computing & Data Science, The University of Hong Kong (HKU)

In addition, we will have "the Little Grape" as the special guest for the afternoon!


Talks at the events:

  • Navigating Data Privacy Risks in the Use of AI in Higher Education (by Mr. Alex CHAN)

  • Digital Resilience: The Industrialisation of Cybercrime (by Ms. Rachel HUI)

  • Cybersecurity in Higher Education: Trends, Threats & Defences (by Mr. Otto LEE)

Panel Topic: Innovation vs. Third-Party Risk: Balancing Progress and Privacy

  • Moderator: Mr. Leonard CHAN, MH

  • Panelists: Mr. Alex CHAN, Ms. Rachel HUI, Mr. Otto LEE, Prof. S.M. YIU

Registration:

For HKU staff: https://hkuems1.hku.hk/hkuems/ec_hdetail.aspx?ueid=106167

For Non-HKU members: https://hkuems1.hku.hk/hkuems/ec_hdetail.aspx?guest=Y&ueid=106169

PCPD established the Hong Kong International Data Privacy Academy

22 Jun 2026

PCPD established the Hong Kong International Data Privacy Academy

The Hong Kong International Data Privacy Academy (“the Academy”) was officially launched on 16 June 2026 by the Honourable Mr Paul LAM Ting-kwok, GBS, SC, JP, the Secretary for Justice of the Government of the Hong Kong SAR, China, and other officiating guests during the 30th Anniversary Privacy Protection Summit of the Office of the Privacy Commissioner for Personal Data (“PCPD”).


The PCPD established the Academy to actively align with the Country’s 15th Five-Year Plan in supporting Hong Kong’s development as an international high-calibre talent hub and the Government’s policy under the “One Country, Two Systems” to leverage the distinctive advantages of enjoying strong support of the Motherland and being closely connected to the world.  It also aims to support the formulation and implementation of the first Hong Kong’s Five-Year Plan by the HKSAR Government under the leadership of the Chief Executive, thereby integrating actively into and serving the overall national development.

Kee Wah Bakery hit by ransomware attack; customer and staff data compromised

17 Jun 2026

Kee Wah Bakery hit by ransomware attack; customer and staff data compromised

Kee Wah Bakery announced on Tuesday (16 June) that its internal network system was hit by a malicious ransomware attack last week, potentially exposing the personal data of its employees, business partners, online customers, and loyalty program members.


The company assured the public that customers' payment and credit card details were not affected by the incident, and emphasized that all of its retail outlets across Hong Kong continue to operate as normal.


News in Chinese: https://news.mingpao.com/ins/%E6%B8%AF%E8%81%9E/article/20260616/s00001/1781607987164/%E5%A5%87%E8%8F%AF%E9%A4%85%E5%AE%B6%E7%B6%B2%E7%B5%A1%E7%B3%BB%E7%B5%B1%E5%8F%97%E6%94%BB%E6%93%8A%E4%B8%A6%E9%81%AD%E5%8B%92%E7%B4%A2-%E6%B6%89%E5%8F%8A%E5%93%A1%E5%B7%A5%E8%88%87%E5%AE%A2%E6%88%B6%E7%AD%89%E8%B3%87%E6%96%99-%E7%84%A1%E6%B3%95%E7%A2%BA%E8%AA%8D%E6%9C%89%E5%90%A6%E8%B3%87%E6%96%99%E5%A4%96%E6%B3%84#goog_rewarded

Nottingham Uni says student records raided after ShinyHunters claims cyberattack

14 Jun 2026

Nottingham Uni says student records raided after ShinyHunters claims cyberattack-Crooks claim 40 GB haul as breach database pegs_email addresses exposed at 455K

The University of Nottingham has confirmed a cyberattack on its student  record system after the ShinyHunters crew claimed to have stolen tens of  gigabytes of data from the Russell Group institution.


Around 40 GB of the institution's data was stolen, data included billing and payment records, credit card and payment details,  student finance data, and "campus portal exports." The criminal crew further claimed that the University of Nottingham's Malaysia and China campuses were also compromised.

Man sent to prison for selling data of 7 millions elderly Americans

3 Jun 2026

Man sent to prison for selling data of 7 millions elderly Americans

A North Carolina man was sentenced to more than 10 years in prison for selling the personal information of over 7 million elderly Americans to Jamaican scammers.


57-year-old Troy Murray (who used the Steve Dixon pseudonym) pleaded guilty in January 2026 to one count of conspiracy to commit wire fraud and was sentenced Thursday to 121 months in prison, three years of supervised release, and ordered to forfeit $5,2 million. According to court documents, between 2016 and 2023, Murray sold lead lists containing the names, phone numbers, physical addresses, and email addresses of elderly Americans to scammers in Jamaica and elsewhere, who used the information to commit lottery fraud. Murray earned hundreds of thousands of dollars annually after typically charging $500 per list of 100 to 300 names. 

Carnival confirms ShinyHunters cruised off with 6M customer records after April breach

2 Jun 2026

Carnival confirms ShinyHunters cruised off with 6M customer records after April breach

Carnival Corporation - the world's largest cruise operator - has confirmed a digital heist, a month after hacking crew ShinyHunters claimed to have stolen millions of customers' records.


The breach, Carnival confirmed, stemmed from an April 14 social engineering attack on an employee, though the company declined to comment on the scale or name ShinyHunters. A company filing with the Maine attorney general's office puts the number of affected individuals at just under 6 million, down from the 8.7 million records previously listed by Have I Been Pwned.

PCPD Compliance Checks on 60 Organisations of AI Impact on Personal Data Privacy

1 Jun 2026

PCPD Compliance Checks on 60 Organisations of AI Impact on Personal Data Privacy

To actively align with the National “15th Five-Year Plan” and implement the policy direction of HKSAR in promoting “AI Plus”, the PCPD launched a new round of compliance checks in January 2026, following the two rounds of compliance checks completed in 2024 and 2025. The PCPD published the findings of the compliance checks on 19 May. The compliance checks covered 60 organisations.


- https://www.pcpd.org.hk/english/news_events/media_statements/press_20260519.html#_ftn3:~:text=the%20report%20today.-,Annex,-The%20Privacy%20Commissioner%E2%80%99s

- https://www.pcpd.org.hk/english/artificial_intelligence/index.html


7-Eleven Breach: Hackers Claim 600,000 Records Stolen

28 May 2026

7-Eleven Breach: Hackers Claim 600,000 Records Stolen

In breach notification letters dated May 1, the company said the attackers accessed “certain 7-Eleven systems used to store franchisee documents.” 7-Eleven added that the affected files such as names, addresses, and other identifying information. The hackers claimed to have stolen more than 600,000 records connected to 7-Eleven. The group allegedly later published a 9.4GB archive of stolen files after ransom negotiations failed.


The incident adds 7-Eleven to a growing list of organizations reportedly targeted by ShinyHunters, including companies in education, retail, entertainment, healthcare, and technology. Roughly 185,300 people had their data exposed, according to a report from BleepingComputer.

CISA contractor’s public GitHub repo exposed sensitive government credentials

20 May 2026

GitHub repo (contractor of CISA) exposed sensitive government credentials

A public GitHub repository containing highly sensitive internal credentials and systems used by the US Cybersecurity and Infrastructure Security Agency (CISA) has been revealed, based on information published by Tech Radar.


The repository, named "Private-CISA" and maintained by contractor Nightwing, exposed AWS administrative credentials, access keys, tokens, plaintext usernames and passwords for internal CISA systems, and SSH keys. Security researchers confirmed the authenticity of the leak, with some credentials reportedly still functional. The repository detailed CISA's internal software build and deployment processes.

A hotel check-in system left a million passports and driver’s licenses open for anyone to see

18 May 2026

A hotel check-in system Tabiq left a million passports and driver’s licenses open for anyone to see

A hotel check-in system left more than 1 million customer passports, driver’s licenses, and selfie verification photos to the open web after a security lapse. The data is now offline after TechCrunch alerted the company responsible.


The hotel check-in system, called Tabiq, is maintained by the Japan-based tech startup Reqrea for several hotels across Japan and relies on facial recognition and document scanning to check guests in.

“Digital Omnibus on AI” - EU agrees to simplify AI rules to boost innovation and ban ‘nudification' apps to protect citizens

13 May 2026

“Digital Omnibus on AI” - EU agrees to simplify AI rules to boost innovation and ban ‘nudification' apps to protect citizens

The European Commission welcomes the political agreement reached today between the European Parliament and the Council of the EU on simpler, innovation-friendly rules for artificial intelligence (AI).


The Commission proposed the Digital Omnibus on AI only five months ago as part of the EU's simplification agenda to boost Europe's competitiveness. This will make the implementation of the AI Act for EU businesses easier while maintaining its benefits for European society, safety and fundamental rights.

智能体规范应用与创新发展实施意见- Chinese AI Agents Guidelines

13 May 2026

Chinese AI Agents Guidelines-互聯網絡信息辦公室_智能体规范应用与创新发展实施意见

As of 8 May, Chinese key regulators including CAC, NDRC and MIIT jointly issued the implementation guidelines to promote the standardized application and innovative development of AI agents, amid the country’s accelerated push to advance the “AI Plus” action.

The Chinese guidelines is a typical top-down approach with priorities on 19 scenarios  including critical sectors such as energy, agriculture, public transportation, healthcare, judiciary, e-government, education and banking finance.  


It is different from the bottom-up approach taken under the Model AI Govenance Framework for Agentic AI issued by Singapore IMDA earlier in January 2026.

The guidelines also encourage mandatory national standards for AIP adopted for specific sectors. It emphasizes AI security in particular supply chain security.

Canvas cyberattack: NUS, SIM ask users to reset passwords as added precaution

10 May 2026

Canvas cyberattack: NUS, SIM ask users to reset passwords as added precaution

Affected users will be prompted to do so when they next access NUS IT services, including their e-mails, VPN or other systems requiring NUS authorisation. 


As it continues to monitor the situation, NUS said Canvas has been placed under controlled access, adding that only selected users who require Canvas for critical academic or operational purposes will be granted access.

NVIDIA confirms GeForce NOW data breach affecting Armenian users

10 May 2026

NVIDIA confirms GeForce NOW data breach affecting Armenian users

GeForce NOW user information has been exposed in a data breach. “Our investigation found no impact on NVIDIA-operated services. The issue is limited to systems run by a third-party GeForce NOW Alliance partner based in Armenia. ” the company said. The statement comes in response to a post last week on a hacker forum from a threat actor using the ShinyHunters nickname, claiming to have breached the GeForce NOW service and stolen millions of user records.


The gaming and hardware giant has clarified that the impact is limited to Armenia, and was caused by a compromise of the infrastructure operated by a regional partner.

The company added that its own network was not impacted by the incident.

Thousands of AI ‘Vibe Coding’ Apps May Expose Sensitive Medical, Business Data

9 May 2026

Thousands of AI ‘Vibe Coding’ Apps May Expose Sensitive Medical, Business Data

A new investigation by Israeli cybersecurity firm Red Access found thousands of AI-generated web apps leaking data ranging from medical records to internal business documents. The findings add to mounting concerns about vibe coding, a fast-growing trend in which users rely heavily on AI tools to generate and deploy software with little or no traditional coding experience.


The investigation also found roughly 380,000 publicly accessible assets created with AI-powered coding tools such as Lovable, Replit, Netlify, and Base44. According to the researchers, about 5,000 of those apps exposed potentially sensitive information.


The exposed information reportedly included medical records, financial documents, chatbot conversations, schedules, and internal business materials.

Global cyberattack on Canvas learning platform impacts 5 HK institutions amid extortion threats

9 May 2026

Global cyberattack on Canvas learning platform impacts 5 HK institutions amid extortion threats

A massive hacking attack on the widely used educational platform Canvas has compromised data and blocked access at approximately 9,000 institutions worldwide, including five in Hong Kong, as cybercriminals threaten to leak sensitive information if ransom demands are not met.


The Office of the Privacy Commissioner for Personal Data confirmed on Friday that the local institutions caught in the global breach include the Polytechnic University, the University of Science and Technology, the Academy for Performing Arts, the Hong Kong Institute of Construction, and Hong Kong Education City Limited.

Instructure confirms data breach, ShinyHunters claims attack

4 May 2026

Instructure confirms data breach, ShinyHunters claims attack

Educational tech giant Instructure has confirmed that data was stolen in a cyberattack, with the ShinyHunters extortion gang claiming responsibility.


Instructure is a U.S.-based education technology company best known for developing Canvas, a widely used learning management system that helps schools, universities, and organizations manage coursework, assignments, and online learning.

Hackers claim to have pinched 7.5 million Carnival cruise emails

3 May 2026

Hackers claim to have pinched 7.5 million Carnival cruise emails

  • Carnival confirmed a supply‑chain breach affecting its Holland America Line loyalty program, with millions of customer records exposed

  • ShinyHunters claimed responsibility, leaking 8.7 million records including personal details and millions of unique email addresses; including names, dates of birth, genders, and membership status details.

  • Carnival acknowledges incident and notifies authorities, but downplays scope, describing it as a phishing compromise of a single account

Copyright @2026 The University of Hong Kong. All Rights Reserved.
bottom of page