Latest News

https://www.pcpd.org.hk/english/education_training/organisations/workshops/workshop.php - Application Form for all upcoming professional workshops.

Practical Workshop on Data Protection Law

Date: 22 Apr 2026 (Wed), Time: 2:15pm – 5:15pm

Key takeaways:

• Examining the application of the six data protection principles with special highlights on recent administrative appeals board and court cases.

• What are the local and global trends in protecting data privacy rights?

• Problems frequently encountered by organisations dealing with personal data, including:

- What are the points to consider when drafting a personal information collection statement?
- What are the special requirements in complying with or refusing to comply with a data access/correction request?
- How to comply with the direct marketing requirements in a joint marketing campaign?
- What are the steps to take when outsourcing the processing of personal data to agents located in or outside Hong Kong?
- How to determine whether an exemption provision applies to a particular situation, including requests for personal data possessed by organisational data users

• How to strike the right balance between protecting personal data of individuals and safeguarding the organisations’ best interests?

• Consequences of breach of the Ordinance and liabilities of key officers

• Sharing of practical experiences in applying the rationale behind legal and quasi-legal decisions, coupled with illustrations from real-life examples.

Jan-Feb PCPD Professional Workshops

https://dpo.hku.hk/news/2026-jan-feb-pcpd-professional-workshops-(charged)

PCPD has respectively served Enforcement Notice or warning letter on the three organisations, directing them to remedy and prevent recurrence of their respective contraventions.

Summaries of the Three Data Security Incidents

1. The complainant worked for a security service company. The complainant’s supervisor sent a notice of termination of employment containing the complainant’s HKID card number to a work-related chat group in an instant messaging application. This resulted in the disclosure of the complainant’s personal data to other staff members in the group.

2. The head of the security department of a hotel stored annual performance appraisal forms of departmental staff members in a desk drawer. As the desk was shared among staff members of the department and the department head did not lock the drawer in accordance with the hotel’s guidelines, the complainant (an employee of the hotel’s security department at the material time) inadvertently read the appraisal forms that contained the personal data of all the departmental staff members stored in the drawer while searching for other documents.

3. An administrative staff member of a social welfare organisation was responsible for scanning a dismissal document relating to the complainant. During the process, the staff member mistakenly saved the scanned copy in the department’s shared folder. As a result, the complainant’s personal data contained in the document was accessible to other staff members of the department.

Registration by 5pm on 27 March 2026.

The Office of the Privacy Commissioner for Personal Data (PCPD) and the Hong Kong Internet Registration Corporation Limited (HKIRC) will co-organise the “AI Security and Cybersecurity Summit for Enterprises” (Summit) on 31 March 2026. Registration is now open to all sectors!

With the Digital Policy Office acting as a strategic partner, the Summit will feature two key thematic areas – “AI Security” and “Cybersecurity”, each presenting dedicated keynote presentations and panel discussions. The event will bring together leading experts, industry leaders, policymakers and company directors to explore the evolving AI security and cybersecurity threat landscape, exchange innovative solutions, and share insights into strengthening cybersecurity and data protection in the age of AI.

昂坪360表示，正就被盜資料進行評估、持續監控，並作善後處理，初步評估受影響的個人資料包括昂坪360員工、年票乘客，以及曾參與市務推廣活動及推廣資訊接收名單上的人士、供應商及昂坪市集租戶等的資料，初步確定所涉的資料為姓名及聯絡方法，例如電話號碼或電郵地址，已啟動與受影響人士溝通。

English version of the news - https://www.scmp.com/news/hong-kong/law-and-crime/article/3344932/personal-data-stolen-ransomware-attack-hong-kongs-ngong-ping-360-attraction

https://www.pcpd.org.hk/english/news_events/media_statements/files/2026.02.23_JointStatement_AIGeneratedImagery.pdf

Expectations for Organisations  

• Implement robust safeguards to prevent the misuse of personal information and  generation of non-consensual intimate imagery and other harmful materials,  particularly where children are depicted.  

• Ensure meaningful transparency about AI system capabilities, safeguards, acceptable  uses and the consequences of misuse.  

• Provide effective and accessible mechanisms for individuals to request the removal of  harmful content involving personal information and respond rapidly to such requests.   

• Address specific risks to children through implementing enhanced safeguards and  providing clear, age-appropriate information to children, parents, guardians and  educators.

Figure is a Fintech lender. According to reporting by TechCrunch and subsequent analysis, 967,200 customer email records were compromised after a social engineering attack granted unauthorized access to Figure’s internal systems. 

Roughly 2.5 GB of data was posted online by ShinyHunters, suggesting a sizable internal data set. Because birth dates and home addresses are commonly used in identity verification across financial and telecom services, their exposure significantly increases the potential for misuse.

The UK Information Commissioner’s Office (ICO) has won an important appeal relating to data protection obligations arising from a 2017-18 cyber attack at electronics retailer Currys PC World. Currys Group Ltd was previously DSG Retail, that they fell victim to a major cyber attack during a nine-month period in 2017 and 2018. 

In January 2020, the ICO levied a £500,000 fine on DSG under the Data Protection Act (DPA) 1998 after its investigation found the retailer had failed to patch software systems, install firewalls, segregate its networks, conduct routine security testing, or protect personal data. The fine was lower than that mandated under GDPR because the breach took place before the legislation came into effect.

Eurail B.V., the operator that provides access to 250,000 kilometers of European railways, confirmed that data stolen in a breach earlier this year is being offered for sale on the dark web. Eurail B.V. is a Netherlands-based firm that manages and sells passes (Eurail and Interrail) for train travel across Europe, offering flexibility for multi-country trips.

Last month, the company disclosed that it suffered a data breach when threat actors gained unauthorized access to its customer database, compromising sensitive information, including full names, passport details, ID numbers, bank account IBANs, health information, and contact details (email addresses, phone numbers).

The concerned data protection authorities have been notified in accordance with the GDPR requirements, and authorities outside the EU will be alerted soon.

Hong Kong’s Department of Health (DH) has suspended a Dental House Officer on non-civil service terms and referred the matter to law enforcement after uncovering suspected unauthorised access to electronic medical records. The case surfaced when a member of the public, alerted by an SMS from the Electronic Health Record Registration Office, queried why a DH healthcare officer had viewed his records despite no recent use of DH services.

https://www.info.gov.hk/gia/general/202601/28/P2026012800601p.htm

DH follows up seriously on case of suspected unauthorised access to medical records

• To discuss the personal data privacy risks of AI, and provide practical guidance for organisations to develop and use AI in a privacy-friendly manner;

• To raise awareness of emerging cyber threats among organisations and explore actionable strategies and best practices for enhancing cyber resilience and data security; and

• To facilitate networking and knowledge sharing among cybersecurity experts and AI specialists.

PCPD has initiated a compliance review into HSBC’s PayMe, following reports that early adopters may have unknowingly exposed their personal transaction details due to outdated privacy settings. The examination of "privacy by design" includes the vulnerability of legacy users and the need for in-app prompts.

Privacy Watchdog PCPD says exposure of personal data, information on dismissal is a breach of data protection rules. An enforcement notice was sent to A security service company after an employee's termination letter was sent to a group chat, exposing her personal data and information relating to her dismissal to colleagues.

Data protection breaches in Hong Kong

In 2025, the office received a total of 4,228 complaints and handled 17,691 public enquiries. Public enquiries received included:

• Collection and use of personal data (28%)

• Complaint handling policy of the PCPD (15%)

• Access to and correction of personal data (6%)

• Installation and use of CCTV (5%)

The PCPD also addressed enquiries on the handling of personal data in employment cases (5%).

Over just a few days, MoltBot has reached roughly 98,000 GitHub stars, 13,600 forks, and more than 350,000 NPM downloads (plus 27,471 direct GitHub downloads) – as of publication time, and still climbing – which we estimate corresponds to roughly 300k–400k users, derived from NPM and GitHub download counts. That adoption matters because MoltBot works by asking users to provide highly sensitive credentials and API keys – effectively the keys to their digital lives – and it is built to ingest input from multiple sources and take actions across connected accounts.

Series One – “Happy Sharing on Digital Security”

The PCPD dialogue with the winning organisations of the “Privacy-Friendly Awards 2025”, starting from 26th January.

Series Two – “Privacy Classroom”

The PCPD has engaged Program Hosts to offer practical tips on topics like the use of AI, fraud prevention and combatting doxxing offences. The “Privacy Classroom” will be broadcast on CR1 and CR2 starting from April.

Data Protection office suggest departments to review below measures since they may apply for job applications especially non-full time jobs through social media platforms - 

==========================

The PCPD reminds the public for below when applying for jobs through social media platforms and instant messaging groups to safeguard their personal data privacy:

1. Authenticate the identity of the recruiter or intermediary

2. Avoid disclosing personal data arbitrarily

3. Retain communication records

4. Fraud prevention information

The incident of a Russia-based hacking group known as Lockbit 3.0 led to a temporary shutdown of operations as authorities scrambled to mitigate broader delays in the shipment of goods. Ransomware, a form of malware that locks users out of files or systems until a ransom is paid, has become increasingly concerning for shipping networks amid growing automation trends in Asian ports. 

Expert assessments reveal that remote access vulnerabilities, particularly in VPNs and desktop protocols, are frequent targets for ransomware attackers, constituting around 80% of such breaches in Japan. Mihoko Matsubara, a chief cybersecurity strategist at NTT, emphasized the importance of companies regularly updating and patching software to protect against these threats.

Cantonese ONLY

2026年2月5日（星期四）

下午3:00至4:30

網上視像／實體（地址：香港灣仔皇后大道東248號大新金融中心12樓私隱專員公署演講廳）

講者：

• 陳永安先生 — 關鍵基礎設施（電腦系統安全）專員

• 鍾麗玲女士 — 個人資料私隱專員

講座重點：

• 《保護關鍵基礎設施（電腦系統）條例》簡介

• 何謂「關鍵基礎設施」

• 關鍵基礎設施營運者的責任

• 提升機構網絡安全的建議

• 怎樣預防及處理資料外洩事件

The Department of Education in Victoria, Australia, notified parents that attackers accessed a database containing the personal information and email addresses of current and former students, prompting password resets. Types of data include students' names, school names, year levels, and school-issued email addresses, encrypted passwords for accounts that use them. 

While the Department of Education didn't share how many students were affected by the data breach, Victoria's government school system serves approximately 650,000 students across over 1,500 schools.

A data breach at Central Maine Healthcare (CMH) exposed sensitive information of more than 145,000 individuals. The CMH integrated healthcare delivery system serves at least 400,000 people and manages hospitals like Central Maine Medical Center (CMMC), Bridgton Hospital, and Rumford Hospital.

On December 29, CMH published a statement informing that the security incident exposed data types, which may vary per individual: Full names, Dates of birth, Treatment information, Dates of service, Provider names, Health insurance information, Social Security Number (SSN).