Latest News

Cybersecurity researchers discovered a vulnerability in McHire, McDonald's chatbot job application platform, that exposed the chats of more than 64 million job applications across the United States.

McHire, powered by Paradox.ai and used by about 90% of McDonald's franchisees, accepts job applications through a chatbot named Olivia. Applicants can submit names, email addresses, phone numbers, home addresses, and availability, and are required to complete a personality test as part of the job application process. This type of flaw is called an IDOR (Insecure Direct Object Reference) vulnerability, which is when an application exposes internal object identifiers, such as record numbers, without verifying whether the user is actually authorized to access the data.

The eight data security incidents:
1. The doctor of a medical diagnostic centre did not log out of the system before leaving the examination room; patients information is exposed.
2. A tour guide distributed group electronic flight tickets to tour members however expose personal data of all tour members
3. When handling a complaint about parking matter, a security guard disclosed the complainant’s phone number to another carpark tenant.
4. A medical institution failed to properly apply the appropriate setting in the “View Summary of Responses” function during the collection online that expose personal data of over 100 registrants.
5. A government department did not follow the established procedures in folding letters expose the complainant’s HKID card number visible through the envelope window.
6. An insurance company printed documents on recycled papers, which were obsolete resumes and HKID card copies & exposed personal data.
7. A retailer sent a promotional email to its members but sent to all members (1000) in the recipient field & all emails are exposed.
8. Owing to a wrong script applied to the membership accounts system of an airline company, account information is exposed to other members.

Data security pitfalls may lie in any single procedure of work. PCPD makes six recommendations to organisations of all sectors:
1. Incorporate the protection of personal data privacy into the core values of the organisation
2. Enhance the awareness and capabilities of employees to protect privacy through training
3. Develop clear and easy-to-understand work guidelines
4. Adopt technical security measures
5. Regularly monitor, assess and improve compliance with data security policy
6. Develop a comprehensive data breach response plan

立法會今日（9日）通過無約束力議員議案，促政府研訂立網絡安全法，建完善反網絡詐騙體系。保安局局長鄧炳強透露，法改會正進行第二階段研究，聚焦於利用電腦網絡擴大犯罪規模的傳統罪行，如設立仿冒詐騙網站等犯罪行為。

提出議案的科技創新界議員邱達根建議，要防範網上騙案，必須由「事後封鎖」改為「事前封鎖」，要將責任加到營運商上，營運商要主動透過科技及同工具由源頭封鎖，當見到有可疑廣告、網站或用AI分析過去曾經封鎖過的相關內容，營運商不再受理。

At-a-glance

• Cyber attack on M&S involved ‘sophisticated impersonation’, chairman tells MPs

• Thompsons Solicitors launching class action against M&S after April’s cyberattack exposed customer data

• Names, emails, addresses, and birth dates stolen — raising concerns over identity fraud and phishing scams

• M&S admits fault, estimating the breach could cost the company around £300 million

• Customers urged to beware of fake emails offering gifts; experts stress verifying sender details before clicking links

• M&S hopes to fully restore digital operations by August, following shutdowns to contain the breach

Researchers have just confirmed what could be the largest leak ever, with an almost incredulous 16 billion login credentials, including passwords, exposed. According to Vilius Petkauskas at Cybernews, who says researchers have been investigating the leakage since the start of the year, “30 exposed datasets containing from tens of millions to over 3.5 billion records each,” have been discovered. In total, Petkauskas has confirmed, the number of compromised records has now hit 16 billion.

CSTCB will continue to lead the development of the cybersecurity ecosystem.

Key Cybersecurity Data

• Among the 33,903 technology crime cases recorded by Hong Kong Police Force in 2024, there were 112 destructive cyberattacks, including 61 “Hacking activities”, 46 “Ransomware” and 5 “Distributed denial-of-service (DDoS) attacks” cases.

• In 2024, CSTCB processed over 25 million pieces of cyber threat intelligence, averaging more than 68,000 pieces per day. Among these, CSTCB identified over 440,000 cyber threats targeting Hong Kong.

• Analysis of cybersecurity incidents revealed three recurring issues: Inadequate access control and configuration, Outdated and unpatched systems, Lack of effective threat detection mechanisms

• Over 90,000 Internet-facing assets of Hong Kong's critical infrastructures were assessed and that 5% had varying degrees of system vulnerabilities. Among the discovered vulnerabilities, 89% were classified as medium and low risk, and 11% were identified as critical and high risk.

Cyber Threat Forecast for the Coming Year

• Surging AI-powered cyber threats and AI system risks

• Ransomware attacks remain prevalent

• Increasing Web3-related cyberattacks

• Escalating IoT security risks

• Growing supply chain and third-party risks

• Intensifying cloud security and hybrid work risks

• Emerging attacks on critical infrastructures

Register now at: https://www.pcpd.org.hk/english/education_training/organisations/workshops/workshop.php

In a world increasingly driven by artificial intelligence (AI), our faces, voices and even patterns of digital movements are no longer just personal identifiers but raw material. Scraped from the nooks and crannies of the internet, this data is repurposed as training material or synthetic content through a slew of affordable AI tools.

News is only available in Chinese.

傳統名校英皇書院爆出考試洩題風波。校方昨日（17日）向家長發出通告，承認有教師在Google Classroom上載練習資料時，意外將中四中文科期終考試的作文題目一併上載，導致試題外洩。 為力求公平，校方安排重考，並以兩次中較高分者為準。此舉引發學生不滿，怒轟校方未徹查，令誠實應考的無辜者慘成代罪羔羊，做法實為懲罰，有欠公允。TOPick曾向校方查詢，但發稿前未收到相關回應。

Please register via QR code. Look forward to your participation!

- First posted on Apr 23 

- Re posted on June 11 - panel change: a moderator with 3 speakers 

The hackread.com research team first spotted the leak on 15 May 2025. It surfaced on a well-known Russian cybercrime forum, only to be reposted on 3 June. That’s when it began circulating widely across dark web channels. The dataset includes Full names, Dates of birth, Phone numbers, Email addresses, Physical addresses and most alarmingly: 44 million Social Security Numbers in plain text. These records are neatly organized into three CSV files. Structured. Easy to read. Easy to exploit.

The Cybernews research team’s latest findings reveal the supermassive data leak:

• Hundreds of millions of users are likely exposed

• Data leak contained billions of documents with financial data, WeChat and Alipay details.

• The Cybernews research team believes the dataset was meticulously gathered and maintained for building comprehensive behavioral, economic, and social profiles of nearly any Chinese citizen.

A humungous, 631GB-strong database was left without a password, publicizing mind-boggling 4 billion records. The dataset was meticulously gathered and maintained for building comprehensive behavioral, economic, and social profiles of nearly any Chinese citizen. 

私隱專員公署「關注私隱週2025」- AI安全「智」重要

個人資料私隱專員公署（私隱專員公署）將於6月9 – 15日舉辦「關注私隱週2025」。這是一項由亞太區保障私隱機構成員共同支持的年度保障私隱推廣活動，旨在加強公眾對保障及尊重個人資料私隱的意識。今年，公署以「AI安全『智』重要」為主題，舉辦多項活動：

1. 「AI安全『智』重要」主題電車

為提升市民對人工智能（AI ）安全的意識，私隱專員公署將於6月9 日 – 7月4日期間，推出「AI安全『智』重要」主題電車，進行巡迴宣傳。主題電車的設計以象徵AI安全的鎖為重點，結合不同與個人資料相關的圖標，並加上「AI安全」熱線（2110 1155）及全新推出的「人工智能安全」專題網站的二維碼，藉此提醒市民在使用AI時，亦要保障個人資料私隱。

2. 「人工智能安全」專題網站

隨着AI的應用日漸普及，私隱專員公署推出全新「人工智能安全」專題網站 ，一站式提供公署有關AI的指引資料、教育資訊／資源、國際發展的資訊，以及公署有關AI的最新消息及活動，方便公眾及機構查閱。

3. 「保障個人資料私隱 — 數碼時代的挑戰與機遇」研討會

私隱專員公署與香港城市大學出版社將於6月10日合辦「保障個人資料私隱 — 數碼時代的挑戰與機遇」研討會。研討會將探討香港私隱領域的最新發展，涵蓋近期資料外洩事故，以及私隱專員公署就人工智能發佈的指引。研討會亦會概述《個人資料（私隱）條例》下有關從香港轉移個人資料至境外地方的規定，以及促進大灣區內個人信息跨境流動的便利措施。隨着私隱法的急速發展（包括在香港訂立打擊「起底」的新條文以及在內地實施的《個人信息保護法》），個人及企業均需緊貼相關的轉變。就此，講者將分享他們對這些熱門議題的真知灼見，而《香港個人資料（私隱）法例的符規實務指南》（第三版）亦闡述相關議題。

4. 私隱專員公署 + 生產力局中小企數據安全培訓系列 —「中小企認識AI數據安全及私隱風險」研討會

是次研討會為私隱專員公署聯同香港生產力促進局（生產力局）推出「中小企數據安全培訓系列」的第二個培訓活動，旨在探討有關中小企在商業上的AI應用，以及所涉及的數據安全及個人資料私隱風險。私隱專員公署助理個人資料私隱專員（合規、環球事務及研究）王雅媛女士和生產力局網絡安全及數碼轉型部總經理陳仲文工程師將於研討會上分享機構在採購、實施及使用AI系統（包括生成式AI）時的最佳行事常規，以及他們對使用AI時確保數據安全和個人資料私隱保障的看法。

活動詳情如下：

日期：2025年6月13日（星期五）

時間：下午3:00至4:15

（地址：香港灣仔皇后大道東248號大新金融中心12樓私隱專員公署演講廳）

講者：

· 王雅媛女士 — 私隱專員公署助理個人資料私隱專員（合規、環球事務及研究）

· 陳仲文工程師 — 生產力局網絡安全及數碼轉型部總經理

登記及詳情：按此查閱詳情及登記參加。

5. 「人工智能的教育應用與安全風險—平衡創新與資料保護」研討會

在現今瞬息萬變的教育領域，AI的應用擔當着重要的角色。在利用AI進行創新學習體驗，保護敏感資料及加強網絡安全之間取得平衡尤其關鍵。私隱專員公署與香港大學資訊科技服務暨數據私隱舉辦是次研討會，旨在講解公署最新發布的AI指引資料，分享在急速發展的數碼世界中保障個人資料的見解及最佳行事常規，並在保障個人資料及網絡安全的大前提下，將AI應用至教育場景中的實用策略。多位業界專家亦會在專題討論中探討如何應對AI的誤差與用戶犯錯的情況。

活動詳情如下：

日期：2025年6月27日（星期五）

時間：下午2:00 至 5:00

（地址：香港薄扶林香港大學圖書館大樓2樓多用途室）

講者：

· 王雅媛女士 — 私隱專員公署助理個人資料私隱專員（合規、環球事務及研究）

· 鄒錦沛教授 — 香港大學計算與數據科學學院高級講師

· 姚兆明教授 — 香港大學計算與數據科學學院教授

· 林小嫺女士 — 太古可口可樂有限公司信息安全及風險管理總監

· 林焯豪先生 — 香港警務處網絡安全及科技罪案調查科總警司

· 朱偉年博士 — 國際信息系統審計協會中國香港分會副會長及秘書

登記及詳情：按此查閱詳情及登記參加

The United Kingdom's Legal Aid Agency (LAA) has confirmed that a recent cyberattack with hackers stealing a large trove of sensitive applicant data in a data breach.  This confirmation of the data breach incident came from the UK government.

LAA is an executive agency of the UK Ministry of Justice responsible for administering legal aid in the form of advice, representation, and justice to those who can't afford to pay for it themselves.

The landscape of personal data privacy continues to evolve in the digital era. This seminar will explore the latest developments in the privacy landscape in HK, covering recent data breach cases and the various guidelines on artificial intelligence issued by the PCPD. It will also highlight the requirements under the Personal Data (Privacy) Ordinance for transferring personal data from HK and the facilitation measure for promoting cross-boundary flow of personal information within GBA. Amidst the rapid developments in privacy laws – including the introduction of the anti-doxxing regime in HK and the enactment of the Personal Information Protection Law in the Mainland – it is crucial for individuals and businesses alike to keep abreast of these changes. The speakers will share their insights on these topical issues, which are also covered in the third edition of the book named “Personal Data (Privacy) Law in Hong Kong – A Practical Guide on Compliance”.

The plain text file with millions of sensitive pieces of data were unencrypted, no password protection, no security. 

Cybersecurity researcher Jeremiah Fowler revealed his discovery of a massive online database containing more than 184 million unique account credentials. Usernames, passwords, emails, and URLs for a host of applications and websites, including Google, Microsoft, Apple, Facebook, Instagram, and Snapchat, among others, were stored in a file. The database also contained credentials for bank and financial accounts, health platforms, and government portals.

An infostealer is designed to grab usernames, passwords, and other sensitive data from breached sites and servers. Once the criminals get their hands on the data, they can use it to launch their own attacks or peddle the information on the dark web. 

Course outline:

• What are the general requirements for the collection and retention of personal data, and ensuring their accuracy and security in each phase of the employment process

• What are the requirements of the Code of Practice on Human Resource Management

• Collection of personal data in recruitment process e.g. medical data, reference data

• What are the legal requirements in transferring personal data to third parties

• Collection of biometrics data

• How to handle a Data Access Request by job applicants or employees

• What are the requirements for engaging in employee monitoring activities

• How to tackle employees’ personal data privacy issues arising from COVID-19

• Data Ethics

Please contact DPO office for PCPD club member number for registration at the discounted price.

M&S says it has moved into recovery mode after a ransomware attack but interruption continues. 

Pls refer to previous news posted on May 19 - https://dpo.hku.hk/news/m%26s-confirms-staff-data-stolen-in-cyber-attack

M&S forces customer password resets after data breach - https://www.computerweekly.com/news/366623565/MS-forces-customer-password-resets-after-data-breach

According to reports first published in The Telegraph, M&S management informed employees that the breach included full names and email addresses. Personal information thought to have been accessed includes names, addresses, and online order histories. However, the high street retailer reassured the public that there is no evidence of passwords, payment details, or sensitive financial data having been accessed.

News in Chinese - https://hk.news.yahoo.com/%E9%A6%99%E6%B8%AF%E9%A6%AC%E8%8E%8E%E6%B4%A9%E5%AE%A2%E6%88%B6%E8%B3%87%E6%96%99-%E5%8C%85%E6%8B%AC%E5%A7%93%E5%90%8D%E3%80%81%E9%9B%BB%E9%83%B5%E3%80%81%E9%9B%BB%E8%A9%B1%E7%AD%89-%E7%84%A1%E5%9B%9E%E8%A6%86%E7%A7%81%E9%9A%B1%E5%85%AC%E7%BD%B2%E6%9F%A5%E8%A9%A2%EF%B8%B1yahoo-092442343.html

香港馬莎洩客戶資料 包括姓名、電郵、電話等 無回覆私隱公署查詢︱Yahoo

【Yahoo新聞報道】英國零售品牌馬莎（Marks & Spencer）香港日前通知顧客，網上系統早前遭網絡攻擊，部分個人資料可能已被竊取，包括顧客姓名、電郵地址、住址、電話號碼、出生日期、網上訂單紀錄及經「隱藏」處理的付款卡資料。馬莎強調，沒有證據顯示這些資料已被外傳，亦不涉及可用付款詳情或帳戶密碼，顧客毋須採取任何行動。

• AI Framework - please visit https://dpo.hku.hk/pcpd-ai-framework

• CCTV guidelines - https://dpo.hku.hk/cctv-personal-data-protection-guidelines

• Cloud Privacy & Vendor evaluation - https://dpo.hku.hk/privacy-mgt-program, item 2.6 - https://its.hku.hk/download/?wpdmdl=57516