Latest News

PCPD notes that cyberattacks on the information systems of organisations occurred from time to time, resulting in the leakage of personal data. These incidents were generally caused by the organisations’ failures to adopt adequate and effective organisational or technical security measures to protect their information systems, or by the negligence or error of staff members.

Ms Ada CHUNG Lai-ling, the Privacy Commissioner, and Mr Brad KWOK, Chief Personal Data Officer of the PCPD will talk about lessons learnt from data breach cases which occurred in recent years, and elaborate on the causes of the data breaches and the remedial measures taken. The speakers will also provide their recommendations on how to enhance cybersecurity and data security measures, as well as highlight the key points in preventing and handling data breach incidents.

Date: 23 May 2024 (Thursday)

Time3:00 pm – 4:15 pm

Hong Kong fire service reports potential leak of personal data of 5,000 staff, members of public

• It is third online security incident concerning government departments revealed in a week

• Latest incident occurred on Friday when an outsourced contractor handled data migration procedure, Fire Services Department says

The department added that 960 incomplete identity card numbers of staff were also involved.

In Chinese: https://www.hk01.com/%E7%A4%BE%E6%9C%83%E6%96%B0%E8%81%9E/1017020

The Office of the Government Chief Information Office has requested all government departments to comprehensively review information security and personal data storage public cloud platforms within a week.

Additional information: 

https://inews.hket.com/article/3754059/

The Company Registry has reported the case to the Security Bureau, the Office of the Government Chief Information Officer and the Office of the Privacy Commissioner for Personal Data. 

As of May 3, the Companies Registry (CR) said today that urgent maintenance of its e-Services Portal to block any risk of further leakage of personal data had been completed. The CR had also completed the relevant investigation. 

Other information: 

Company Registry System 3 Vulnerability 110,000 directors' personal information leaked Name ID card for viewing - https://www.hk01.com/article/1016277?utm_source=01articlecopy&utm_medium=referral

Hong Kong’s consumer watchdog breached privacy rules when the personal information of more than 470 people was leaked in a cybersecurity attack. Email alert system also failed to notify watchdog of attack last September, with council only learning about incident once US$500,000 ransom request was sent

The Privacy Commissioner has served an Enforcement Notice on the Consumer Council, directing it to remedy the contravention and prevent similar recurrence of the contravention.

• Adopt multi-factor authentication for remote access to information and communications systems to minimise the risk of attacks targeting information systems;

• Establish a robust cybersecurity framework, allocate sufficient resources and formulate effective strategies and measures to prevent, detect and respond to cyberattacks, thereby reducing the possibility of cyberattacks and the risk of data leakage;

• Conduct regular risk assessments and security audits of information systems;

• Establish a corporate culture that values data security; and

• Devise effective training plans to enhance staff awareness and competence in data security and personal data protection.

Hong Kong Arts Development Council stated that the incident was happened last Friday.; immediately activated its emergency response mechanism to prevent further intrusion by the hackers. It also commissioned network security experts for t a comprehensive investigation and reported to PCPD, Hong Kong Police and Culture, Sports and Tourist Board. 

April 25 (Reuters) - U.S. health conglomerate Kaiser is notifying millions of its members of a data breach earlier this month, it reported in a notice posted on Thursday.

The Kaiser Foundation Health Plan confirmed that 13.4 million residents had their information taken in a data breach, as per a legally required notice filed with the U.S. government on April 12 and reported on Thursday.

SINGAPORE: A data breach at one of its vendors has resulted in the "unauthorised access" of names and email addresses of parents and staff from five primary schools and 122 secondary schools, the Ministry of Education (MOE) said on Friday (Apr 19).

MOE said it was notified by Mobile Guardian that its user management portal had been breached on Wednesday, with the incident occurring at the company's headquarters in Surrey, United Kingdom.

U.S. law firm Orrick, Herrington & Sutcliffe has agreed to pay $8 million to settle class action claims from people who said their personal information was compromised in a breach of some of the firm's client data, according to a proposed settlement, opens new tab filed Thursday in San Francisco federal court.

Hackers accessed the names, addresses, dates of birth, and Social Security numbers of more than 600,000 people that were contained in files held by Orrick, the plaintiffs said, opens new tab. Orrick detected the data breach in March 2023.

Plaintiffs alleged Orrick did not inform them of the data breach until late June last year. Thursday's court papers said that "by January 2024, Orrick had sent notice letters to impacted individuals consistent with its data breach notification obligations."

The gov CIO, Ir. Tong Wong, JP was invited to provide an overview of the facilitation measures of the Standard Contract (SC) Within GBA. The Privacy Commissioner, Ms Ada CHUNG Lai-ling, and Senior Legal Counsel (Acting) of the PCPD, Ms Clemence Wong, also explained the obligations and responsibilities of contracting parties under the GBA SC.

https://www.pcpd.org.hk/english/whatsnew/files/20240409_PCPD.pdf

https://www.pcpd.org.hk/english/whatsnew/files/20240409_OGCIO.pdf

(only Chinese version is available)

Hackers believed to be operating within the country illegally gained access to the network of the government agencies including the Department of Science and Technology (DOST), compromising 2-terabyte worth of data, including research plans, designs and schematics, the Department of Information and Communications Technology (DICT) confirmed on Wednesday.

https://www.pcpd.org.hk/english/news_events/media_statements/press_20240402.html

Investigation Report: https://www.pcpd.org.hk/english/enforcement/commissioners_findings/files/r24_12170_e.pdf - Deficiencies include:

1. Lack of effective detection measures in Cyberport’s information systems;

2. Failure to enable MFA for remote access ;

3. Insufficient security audits of the information systems;

4. Lack of concrete cybersecurity framework; and

5. Unnecessary retention of personal data

NEW YORK (AP) — The theft of sensitive information belonging to millions of AT&T’s current and former customers has been recently discovered online. AT&T said that a dataset found on the “dark web” contains information including some Social Security numbers and passcodes for about 7.6 million current account holders and 65.4 million former account holders. 

Full names, email addresses, mailing address, phone numbers, dates of birth and AT&T account numbers may have also been compromised. The impacted data is from 2019 or earlier and does not appear to include financial information or call history, the company said.

Presentation link (Chin) 

https://www.pcpd.org.hk/english/whatsnew/files/Brad_240319.pdf

https://www.pcpd.org.hk/english/whatsnew/files/HKIRC_Arktos_240319.pdf

PCPD/HKIRC Topical Seminar on “Responding to Cyber Security Threats and Data Breaches” registration - https://www.pcpd.org.hk/spec_event/spec_event76_apply.php

New workshops in https://dpo.hku.hk/pcpd-training

• Data Protection in Property Management Practices

• Personal Data Privacy Management Programme

EY’s Emerging Tech at Work 2023 survey reveals that 89% of employees believe adopting emerging tech benefits their company. Still, cybersecurity risk can be a barrier to adoption.

According to the same EY survey, approximately 73% of employees are concerned about the cybersecurity risks associated with generative AI, and 78% worry about quantum computing.

1. Start with clear-cut training

2. Shield the cloud

3. Monitor for data leaks

4. Minimize data retention

Hong Kong’s privacy watchdog is investigating a large-scale data breach at a prominent sports club involving the loss of about 70,000 members’ personal information, including identity card and passport details.

The Office of the Privacy Commissioner for Personal Data on Tuesday also urged members of the South China Athletic Association (SCAA) to report any suspicious activity, a day after the club announced the data leak.

The breach includes possible theft of information such as members’ names, identity card and passport numbers, and addresses, as well as their contact details.

ENG - https://www.scmp.com/news/hong-kong/society/article/3255944/hong-kong-privacy-watchdog-probes-data-breach-prominent-sports-club-involving-loss-about-70000

CN - https://news.rthk.hk/rthk/ch/component/k2/1745249-20240319.htm

The cyberattack on Nissan Motor Corporation and Nissan Financial Services in Australia and New Zealand, which happened in December 2023 resulted in the theft of sensitive data belonging to roughly 100,000 people, the company has confirmed.

In early December last year, Japanese car manufacturing giant said it was investigating a possible data breach. In an update posted on its website Nissan on Mar 14 said it had started notifying affected individuals, with data stolen from customers, current and former employees, as well as some dealers. Customers include owners of Mitsubishi, Renault, Skyline, Infiniti, LDV, and RAM brands, the company noted. Nissan believes that roughly 10% of the victims have had “some form of government identification” compromised. That includes 4,000 Medicare cards, 7,500 driver’s licenses, 220 passports, and 1,300 tax file numbers.

Acer Philippines confirmed that employee data was stolen in an attack on a third-party vendor who manages the company's employee attendance data after a threat actor leaked the data on a hacking forum. 

A threat actor known as 'ph1ns' published a link to download a stolen database containing Acer employee data for free on a hacking forum.

Acer is a Taiwanese maker of computer hardware and electronics. Earlier today,