top of page
dpo-bg3.jpg

Latest News

Hong Kong government to hold first joint cybersecurity drill among departments, organisations

15 Oct 2024

HK unauthorized access to online service accounts jumped highest_HKGov mitigate ‘rising’ risk of cyberattacks by first joint cybersecurity drill

Hong Kong government to hold first joint cybersecurity drill among departments, organisations. Hong Kong recorded 34,112 technology related crime cases last year, up nearly 50 per cent from 2022, while financial losses spiked by 71 per cent to HK$5.49 billion (US$706.5 million), according to figures submitted to the panel. Among them, “unauthorised access to online service accounts” saw the biggest jump, from 168 in 2022 to 3,434 in 2023.


Referring to the drills, Data Policy Office deputy commissioner Daniel Cheung Yee-wai said teams would have to build defences against simulated attacks. Digital policy commissioner Wong said the government was in initial talks with industry players to offer more cost-effective cybersecurity services that public organisations could afford. Wong urged residents to avoid clicking on unknown links and to refrain from accessing sensitive information, such as bank account details, when their devices were connected to free public networks.

The Internet Archive is under attack, with a breach revealing info for 31 million accounts

14 Oct 2024

The Internet Archive with a breach revealing info for 31 million accounts

The Internet Archive (www.archive.org) founder Brewster Kahle confirmed the breach and said the website had been defaced with the notification via a JavaScript library.


HIBP refers to Have I Been Pwned, a website where people can look up whether their information has been published in data leaked from cyberattacks. HIBP operator Troy Hunt confirmed to BleepingComputer that he received a file containing “email addresses, screen names, password change timestamps, Bcrypt-hashed passwords, and other internal data” for 31 million unique email addresses nine days ago and confirmed it was valid by matching data with a user’s account.

American Water Confirms Hack: Customer Portal and Billing Services Suspended

8 Oct 2024

American Water Confirms Hack: Customer Portal and Billing Services Suspended

American Water, the US largest regulated water utility company, has fessed up to a cybersecurity incident and detected the breach on October 3. They shut down its customer portal "MyWater" and prompted a temporary suspension of billing services. A law enforcement investigation is underway.


It's the New Jersey company, which serves over 14 million people in 24 states and 18 military installations. They said the hack did not negatively affect its water or wastewater facilities or operations and insists its water is safe to drink. 

Privacy Commissioner Urges Job Seekers to Stay Vigilant about “Blind” Recruitment Advertisements

2 Oct 2024

PCPD Newsletter-Stay Vigilant about “Blind” Recruitment Advertisements & Online Doxxing msg Dropped

In order to protect the job applicants’ personal data and project positive corporate image, the PCPD appeals to employers to:

  • Increase transparency in placing recruitment advertisements and disclose the identities of the organisations;

  • Refrain from placing Blind Ads to collect job applicants’ personal data; and

  • If necessary, consider engaging a recruitment agency who is identified in the advertisement to collect the personal data from job applicants.

Online Doxxing Messages Dropped by 90% on Third Anniversary of Anti-Doxxing Law

NIST Drops Password Complexity, Mandatory Reset Rules

30 Sept 2024

NIST second public draft password guidelines stop using complex passwords or knowledge-based authentication

The National Institute of Standards and Technology (NIST) is no longer recommending using a mixture of character types in passwords or regularly changing passwords.


NIST's second public draft version of its password guidelines (SP 800-63-4) outlines technical requirements as well as recommended best practices for password management and authentication. The latest guidelines instruct credential service providers (CSP) to stop requiring users to set passwords that use specific types or characters or mandating periodic password changes (commonly every 60 or 90 days). Also, CSPs were instructed to stop using knowledge-based authentication or security questions when selecting passwords.


NIST also is now recommending password resets in the case of a credential breach only.

Dell investigates data breach claims after hacker leaks employee info

23 Sept 2024

Dell data breach after a threat actor leaked the data for over 10,000 employees

The allegations were published yesterday by a threat actor named "grep," alleged to hold 20 GB of data, including source code, credentials, private keys, API keys, employee data, T-Mobile virtual machine logs, documents, and more.


"grep", claimed another high-profile data breach on September 9, 2024, when he posted data allegedly stolen from the French IT giant Capgemini.


Earlier this year, Dell suffered a data breach after a company API was abused to steal 49 million customer records.

Over 300 Sai Ying Pun Community Hall booking applicants' data leaked

19 Sept 2024

Sai Ying Pun Community Hall applicants' data leaked

The Central and Western District Office said it received a report from the contractor on Monday (Sep 16). The personal data of 306 hirers for the Sai Ying Pun Community Hall is at risk of exposure following the loss of a USB device by a facility management services contractor employee. The USB contains the name of the organization, booking date and time of the event, names and phone numbers of the contact persons for the 306 applicants.


Experience Sharing Session for Businesses on “AI and Personal Data Privacy”

19 Sept 2024

“AI and Personal Data Privacy”-PCPD Experience Sharing Session

With the adoption of artificial intelligence (AI) on the rise, many businesses are using AI or exploring the advantages of using AI to improve their operations.


To assist businesses in using AI while safeguarding personal data privacy, PCPD organises this sharing session to discuss the rise of AI and the privacy risks it poses, and introduce the PCPD’s recently published “Artificial Intelligence: Model Personal Data Protection Framework”. HSBC representative is also invited to share their practical experiences in developing, procuring and using AI in a privacy-friendly manner, as well as how to strike a balance between leveraging the benefits of AI and safeguarding personal data privacy.

Deloitte: Threat Actor IntelBroker Allegedly Claims Leak of Deloitte Internal Communications

19 Sept 2024

Deloitte: Threat Actor IntelBroker Allegedly Claims Leak of Deloitte Internal Communications

The breach reportedly occurred in September 2024, when an Apache Solr server was inadvertently exposed to the internet with default login credentials, allowing unauthorized access. 


IntelBroker, who is associated with the BreachForums community, shared proof of access to these sensitive communications on the platform. BreachForums has been a hub for cybercriminals since its inception. 


The compromised data includes email addresses, internal settings, and communications between intranet users. 


Fortinet Data Breach Impacts Customer Information

16 Sept 2024

Fortinet has confirmed suffering a data breach impacting customers

Fortinet on Thursday confirmed suffering a data breach impacting customers.


The hacker, who uses the online moniker ‘Fortibitch’, made the announcement on a popular hacking forum and claimed that the data — 440 Gb in total — came from an Azure Sharepoint instance. The threat actor indicated that the decision to make the stolen data available came after Fortinet refused to pay a ransom. The hacker has shared information for accessing an AWS S3 bucket that allegedly stores the data, but SecurityWeek has not attempted to access it. Several users of the hacker forum complained about not being able to gain access to the files.

Code of Practice & compliance Guide - Identity Card Number & other Personal Identifiers

2 Sept 2024

Compliance Guide & Code of Practice of ID Number & other Personal Identifiers

https://www.pcpd.org.hk/english/data_privacy_law/code_of_practices/code_data_1.html

Compliance Guide for Data Users - As the Hong Kong Identity Card (ID Card) contains sensitive personal data and the leakage of such data may lead to identity theft and perpetration of fraud. Organisations should be particularly careful when they collect and handle the ID Card data of members of the public.


https://www.pcpd.org.hk/english/data_privacy_law/code_of_practices/files/ID_Leaflet_e.pdf (v2)

https://www.pcpd.org.hk/english/data_privacy_law/code_of_practices/files/picode_en.pdf (v1)

Code of Practice leaflet is to provide advices for listed situations. The indiscriminate collection and improper handling of HKID Card numbers and copies may unduly infringe the privacy of the individuals, and create opportunities for fraud. 


Privacy Commissioner’s Office Offers Six Tips to Prevent Fraud - Deepfake Face Swapping Demo

2 Sept 2024

PCPD Aug Newsletter - Six Tips to Prevent Fraud with Deepfake Face Swapping Demo

During the first half of 2024, the PCPD received nearly 600 enquiries relating to fraudulent activities targeting the personal data of the enquirers, which represented an increase of nearly 90% when compared to 312 cases year-on-year. Scams include using instant messaging applications (Apps), on Social Media Platforms, scam videos using (AI), telephone ccams


6 essential tips to safeguard personal data privacy:

1. Be vigilant

2. Keep an eye on your accounts and transaction records

3. Password protection

4. Smart use of social media and instant messaging apps

5. Authenticate the identity of callers

6. Fraud prevention information


7 foundational principles of Privacy by Design for developing the ICT systems or applications - 

https://www.pcpd.org.hk/english/resources_centre/publications/files/Guide_to_DPbD4ICTSystems_May2019.pdf

1. Proactive and Preventive
2. Data Protection as the Default
3. End-to-end Security
4. Data Minimisation

5. User-centric
6. Transparency
7. Risk Minimisation

Data Protection and Cyber Security Laws in Saudi Arabia

28 Aug 2024

Data Protection and Cyber Security Laws

More countries recognizing evolving technology landscape and the importance of protecting personal data by taking significant steps to enhance their legal infrastructure. This article for Data Protection and Cyber Security Laws in Saudi Arabia listed out the principles of privacy and safety in personal affairs. 


Below listed 3 areas that Hong Kong has covered while Saudi Arabia has 2 more comprehensively covered their bigger territory.

  1. Personal Data Protection Regulation - HK PCPD measures

  2. Anti-Cyber Crime Law - HK Critical Infrastructure Bill (to be official before end 2024)

  3. Framework and controls designed for the management, governance, and safeguarding of personal data to optimize data structuring across diverse government bodies - HK PCPD AI Framework & collaboration with other gov departments

UN committee approves first cybercrime treaty

12 Aug 2024

UN cybercrime treaty approved on Aug 8 2024

A UN committee approved the first worldwide treaty on cybercrime on Aug 8 despite opposition from human rights groups and a coalition of tech companies. The treaty was adopted by consensus after three years of negotiations but still needs to face a vote from the General Assembly in the fall. It needs to be ratified by 40 nations there.


The convention establishes “a global criminal justice policy,” to protect society against cybercrime by “fostering international cooperation,” according to the treaty draft. 

Aug 21-PCPD Workshop on Personal Data Privacy Management Programme

9 Aug 2024

Aug 21-PCPD Workshop on Personal Data Privacy Management Programme

Organisational data users should embrace personal data privacy protection as part of their corporate governance responsibilities and apply them as a business imperative throughout the organisation.  The formulation and maintenance of a comprehensive Personal Data Privacy Management Programme (PMP) is of paramount importance.


Course outline:

  • What is PMP

  • Baseline Fundamentals of a PMP

  • Appointment of Data Protection Officer

  • Ongoing Assessment and Revision

  • How to develop your own PMP

  • Data Ethics

Aug 8 - PCPD Investigation Findings on the Data Breach Incidents (Sep 27 2023) of The Council of the HK Laureate Forum Limited

8 Aug 2024

Aug 8 - PCPD Investigation Findings on the Data Breach Incidents (Sep 27 2023) of The Council of the HK Laureate Forum Limited

(1) Data Breach Incidents of The Council of the Hong Kong Laureate Forum Limited - submitted to the PCPD on 27 September 2023, reporting that its computer systems and file servers had been attacked by ransomware (the Incident).

The Incident affected the personal data of 8,122 individuals, which included approximately 7,200 e-newsletter subscriberss. The personal data affected included names, addresses, email addresses, telephone numbers, passport information, full/partial passport/HKID Card) no, bank account/credit card info, dates of birth, nationalities/places of birth, CVs/transcripts, affiliated organisations and/or academic backgrounds.

The following deficiencies of the Council were the contributing factors:-

  • Deficiencies in information system management;

  • Lax monitoring of the data security measures adopted by the service vendor;

  • Lack of policies and guidelines on information security; and

  • Lack of appropriate data backup solutions

(2) The Ransomware Attack on the Servers of HKB

The investigation submitted to the PCPD on 16 October 2023, reporting that HKB suffered from a ransomware attack on 29 Sep 2023, which affected four physical servers of the information systems of HKB. On 17 Sep 2023, the hacker deployed (via domain admin) “LockBit” ransomware on HKB’s information systems, which resulted in the encryption of files and exfiltration of data and files stored therein.


The following deficiencies were the contributing factors:-

1.  Outdated operating software of the Server;
2.  Unnecessary exposure of the Server to the Internet during system migration performed by the service vendor;
3.  Lack of monitoring of the data security measures adopted by the service vendor; and
4.  Absence of security assessments and security audits of the information systems


Additional info - https://www.thestandard.com.hk/breaking-news/section/4/219202/Hong-Kong-Laureate-Forum-and-HK-Ballet-criticised-over-privacy-breach

PCPD seminar-“AI and Privacy Protection: Balancing Innovation and Safety”

2 Aug 2024

PCPD seminar-“AI and Privacy Protection: Balancing Innovation and Safety”

Reposted on Aug 2 for presentation materials

Please click here for the Privacy Commissioner’s presentation deck (Chinese only) - https://www.pcpd.org.hk/english/whatsnew/files/20240730_AISeminar_PC_2.pdf

Please click here for Dr Tang’s presentation deck (Chinese only) - https://www.pcpd.org.hk/english/whatsnew/files/20240730_PPT_DrArvinTANG_Rev.pdf


Posted on July 12

Registration - https://www.pcpd.org.hk/spec_event/spec_event82_apply.php

With the rapidly increasing use of artificial intelligence (AI), businesses of all sizes have begun to explore the potential of the technology into their operations. However, some oragnisations remain hesitant owing to concerns over compliance with regulations, including the Personal Data (Privacy) Ordinance.


To assist organisations in adopting AI while safeguarding the personal data privacy of individuals, the Office of the Privacy Commissioner for Personal Data (PCPD) is organising this seminar where Ms Ada CHUNG Lai-ling, the Privacy Commissioner for Personal Data, will introduce the PCPD’s newly published “Artificial Intelligence: Model Personal Data Protection Framework”. The Privacy Commissioner will introduce the best practices for any organisations procure, implement and use AI systems (including generative AI) that involve the use of personal data. In addition, Dr Arvin TANG, Director of Multimedia Systems and Analytics of Artificial Intelligence and Trust Technologies from Hong Kong Applied Science and Technology Research Institute (ASTRI) will offer practical experience on how AI could be developed and applied in a privacy-friendly manner.

The PCPD Joins Global Privacy Enforcement Network in Completing Global Privacy Protection Sweep on Deceptive Design Patterns

1 Aug 2024

PCPD Joins Global Privacy Enforcement Network in recommending online platforms or apps design

The PCPD joined the Global Privacy Enforcement Network (GPEN) earlier to conduct a global privacy protection sweep (Sweep) on more than 1,000 websites and mobile applications (apps) globally under the theme of “Deceptive Design Patterns”.


A global joint report was issued today upon completion of the Sweep. A total of 52 authorities was coordinated jointly by GPEN and the International Consumer Protection and Enforcement Network (ICPEN). 


The participating enforcement authorities encourage businesses to design their online platforms or apps in a manner that enables users to make informed privacy-protective choices that reflect their preferences. Good privacy-protective designs include:

  1. Make the most privacy-protective option as the default choice;

  2. Emphasise the provision of privacy options to users;

  3. Avoid using biased language and design, and present privacy choices in a fair and transparent manner;

  4. Allow users to easily find privacy information, log out, or delete an account without the need for multiple clicks; and

  5. Provide timely relevant consent options to users.

https://www.pcpd.org.hk/misc/dpoc/newsletter.html

The Sweep report is here - https://www.privacyenforcement.net/content/2024-gpen-sweep-deceptive-design-patterns-reports-english-and-french.

Oxfam Hong Kong investigating possible data leak after revealing it suffered cyberattack

29 Jul 2024

Oxfam HK revealing it suffered cyberattack; affected systems including Oxfam Trailwalker

The Hong Kong branch of international charity Oxfam has revealed that it suffered a cyberattack with investigations under way to determine whether personal data was leaked. The charity first revealed the attack in a statement on its website on Saturday, but it was more widely reported on Friday when an email concerning the case was sent to potential victims. Charity says it discovered the incident on July 10 which affected several systems, including the one used for the Oxfam Trailwalker. Oxfam Hong Kong said it immediately launched an investigation and engaged independent cybersecurity experts to conduct an assessment of the affected systems to assess the impact of the attack and offer remedies.

MediSecure Data Breach Update Confirms 12.9 Million Records Stolen; Identification of Affected Individuals Difficult

23 Jul 2024

MediSecure Data Breach - 12.9 Million Records Stolen, Identification of Affected Individuals Difficult

The April 2024 MediSecure data breach involved ransomware, 6.5 TB of data taken, about 12.9 million records exposed, which just behind the massive Canva breach in May 2019. 


An incident analysis has since determined that at least one of the company’s database servers was hit with ransomware. However the general lack of structure to the data sets may actually be helping to shield victims, however, as it can be difficult to tie details to individual identities. - The data breach included details on prescriptions from March 2019 to November 2023, such as the drug types and dosages issued and with dates issued and patient conditions related to the prescription. 

bottom of page