Latest News

Quick summary

- Researchers find 65% of the Forbes top 50 AI companies are leaking secrets

- These come in the form of tokens, API keys, and sensitive credentials

- Wiz used a '‘Depth, Perimeter, and Coverage' approach to spot leaks

According to Forbes, top 50 leading AI companies as a benchmark, the experts uncovered nearly two-thirds (65%) of these top AI firms were leaking verified secrets on GitHub. These tokens, sensitive credentials, and API keys were found buried deep in places most researchers and scanners would never encounter, like deleted forks, developer repos, and gists.

Champion: Ambrose Wong, School of Public Health – “Lock Data Tight, Protect It Right!”​

​

1st Runner-up: Rui Zhang, HKU Institute of Data Science - “Lock your data, unlock your trust”​

​

2nd Runner-up: SF Lee, HKU Business School – “Your Privacy, Your Power - Ignite It, Defend It!”

Date & Time: 2 December 2025 (Tue), 3:00 pm – 5:00 pm

Speakers: 

- Ms Kaisy HUNG, Senior Statistician (IT Services), Census and Statistics Department

- Mr Rick CHAN, Chief Systems Manager (Project Governance and Cybersecurity), DPO

- Don TAI, Senior Manager (Infrastructure and Information Security), HK Genome Institute

- Mr LEUNG Wai-kin, General Manager (Customer Services), The HK Electric Company, Limited

Key Topics:

• Practical strategies for implementing proactive and effective data governance to properly manage vast amount of personal data

• Real-life examples of privacy-by-design and privacy-by-default

• Privacy controls/measures taken to enhance data security and prepare for future privacy challenges

Please REACH OUT TO group-ITS-DPO@hku.hk if you want to join for free (FYI Each DPOC member can register up to 3 free seats)

Quick ref here & Information will be posted in DPO website - "Resources CCTV - https://dpo.hku.hk/cctv-surveillance":

- “Guidance on the Use of CCTV Surveillance”: https://www.pcpd.org.hk/english/resources_centre/publications/files/guidance_cctv_surveillance.pdf
- “Tips on the Use of CCTV Surveillance” information leaflet: https://www.pcpd.org.hk/english/resources_centre/publications/files/tips_on_cctv_surveillance.pdf
-  “Guidance on the Use of Video Cameras on Drones and Vehicles”: https://www.pcpd.org.hk/english/resources_centre/publications/files/guidance_cameras_vehicles.pdf
-  “Responsible Use of Drones and In-Vehicle Cameras” information leaflet: https://www.pcpd.org.hk/english/resources_centre/publications/files/responsible_vehicle_cameras.pdf

On October 28, 2025, the Standing Committee of the National People’s Congress passed the latest amendment to the Cybersecurity Law of the PRC, which—for the first time—explicitly includes artificial intelligence in the core legal framework of national cybersecurity.

A newly added Article 20 states:

“The State supports basic theoretical research and key technologies in artificial intelligence such as algorithms, promotes the construction of data resources and computing infrastructure, improves ethical norms for AI, strengthens risk monitoring, assessment, and security supervision, and promotes the application and healthy development of AI.”

Companies will likely face future requirements for AI safety assessments, algorithm filing, and ethical review.

全国人民代表大会常务委员会关于修改《中华人民共和国网络安全法》的决定_中国人大网

http://www.npc.gov.cn/npc/c2/c30834/202510/t20251028_449048.html

《國家網絡安全事件報告管理辦法》合規要點：

適用範圍和事件報告主體（第2條， 第12條）

• 在中華人民共和國境內建設、運營網絡或者通過網絡提供服務的網絡運營者； 網絡運營者是指網絡的所有者、管理者和網絡服務提供者。

網絡安全事件（第12條）

• 是指由於人為原因、網絡遭受攻擊、網絡存在漏洞隱患、軟硬件缺陷或故障、不可抗力等因素，對網絡和信息系統或其中的數據和業務應用造成危害，對國家、社會、經濟造成負面影響的事件。

事件報告時限要求（第4條）

按照《網絡安全事件分級指南》進行研判，屬於較大以上網絡安全事件的：

• 涉及關鍵信息基礎設施的，網絡運營者應當第一時間向保護工作部門、公安機關報告，最遲不得超過1小時。屬於重大、特別重大網絡安全事件的，保護工作部門在收到報告后，應當第一時間向國家網信部門、國務院公安部門報告，最遲不得超過30分鐘。

• 網絡運營者屬於中央和國家機關各部門及其直屬單位的，應當及時向本部門網信工作機構報告，最遲不得超過2小時。屬於重大、特別重大網絡安全事件的，各部門網信工作機構在收到報告后，應當第一時間向國家網信部門報告，最遲不得超過1小時。國家網信部門收到報告后及時向有關部門通報。

• 其他網絡運營者應當及時向屬地省級網信部門報告，最遲不得超過4小時。屬於重大、特別重大網絡安全事件的，省級網信部門在收到報告后，應當第一時間向國家網信部門報告，最遲不得超過1小時，並同時向同級有關部門通報。

事件報告渠道 （第9條）

• 網信部門建設12387網絡安全事件報告熱線電話和網站、郵箱、傳真等方式，統一接收網絡安全事件報告。

處罰（第10條）

• 遲報瞞報從重處罰：因網絡運營者遲報、漏報、謊報或者瞞報網絡安全事件，造成重大危害後果的，對網絡運營者及有關責任人依法從重處罰。

• 及時報告可免於處罰：承擔網絡安全事件報告的部門未按照本辦法規定報告網絡安全事件的，依據有關法律、行政法規和網絡安全工作責任制追究相關單位和人員責任。

The Jaguar Land Rover (JLR) cyber attack a Category 3 Systemic Event on its “hurricane” scale and believes the overall financial cost to the economy adds up to about £1.9bn so far.

The cyber attack – linked to the loosely affiliated Scattered Lapsus$ Hunters hacking collective – shut down JLR’s assembly lines, with ripple effects spreading quickly across the UK’s automotive supply chain and harming more than 5,000 other organisations so far.

What this incident demonstrates is how a cyber attack on a single major manufacturer can cascade through thousands of businesses, disrupting suppliers, transport and local economies, and triggering billions in losses across the UK economy.

Source URL : Ransomware hits Cheung Sha Wan Vegetable Market, 7,000 users’ data at risk | The Standard

https://www.thestandard.com.hk/hong-kong-news/article/314195/

The gate and accounting systems at the Cheung Sha Wan Wholesale Vegetable Market were hit by a ransomware attack on Monday, potentially compromising the data of about 7,000 market users.

https://www.info.gov.hk/gia/general/202510/15/P2025101500574.htm?fontSize=1

The Vegetable Marketing Organization (VMO) announced today (October 15) that an information security incident involving a ransomware attack had been detected on part of its computer systems on October 13. Upon discovery, the VMO immediately suspended the operation of its network systems and disconnected relevant computer servers from external connections to prevent further hacker intrusion. The incident has been reported to the Police, the Hong Kong Computer Emergency Response Team Coordination Centre, and the Office of the Privacy Commissioner for Personal Data.

Force arrested 55 people between January 2022 and July this year for allegedly using fraudulent credentials at local universities.

Last year, HKU’s business school revealed that about 30 students were found to have used fraudulent qualifications to secure places.

PLEASE RSVP for the seminars:

Oct 22 in Sassoon campus especially for LKS Fac Medi and Fac Dentistry;

Oct 24 in DIL room on 2/F Main Library (same venue as Data Protection Coordinator Meeting today)

- Mandarin session: https://hkuems1.hku.hk/hkuems/ec_hdetail.aspx?UEID=103243

- Cantonese session: https://hkuems1.hku.hk/hkuems/ec_hdetail.aspx?UEID=103249

- English session: https://hkuems1.hku.hk/hkuems/ec_hdetail.aspx?UEID=97186

QR code for online / onsite questions - Questions will only be available on Oct 20.

This workshop provides a practical approach to the compliance of requirements under the ​PDPO in direct marketing activities and provides hands-on solutions to problems that marketers face in devising direct marketing activities. Conviction cases will also be shared with the participants.

Date: 22 October 2025 (Wednesday)

Time: 2:15pm - 5:15pm

Language: Cantonese

Format: Face-to-face

Legal practitioners and compliance officers often find themselves in practical need of keeping abreast of the latest decisions and the legal arguments of the court and the Administrative Appeals Board in relation to data privacy. Hosted by a PCPD lawyer, this workshop will let you take a deep-dive into the crunch issues in those cases and the commonly deployed provisions of the Personal Data (Privacy) Ordinance.

Date: 15 October 2025 (Wed)
Time: 2:15pm – 5:15pm

Language: Cantonese

On October 1, 2025, a Telegram channel linked to the Crimson Collective shared evidence of a breach targeting Red Hat’s private repositories.

According to the threat actor, they exfiltrated around 570 GB of data (compressed), from more than 28,000 Red Hat repositories, including Customer Engagement Reports (CERs) – consulting documents known to contain configuration files, network architecture, and even authentication tokens. A total of 800+ customers may be impacted, include commercial giants like IBM, Citi, Siemens, Bosch, and Verizon and U.S. government agencies including the NSA, Department of Energy, NIST, and others.

China has been proactive in adopting legislation  and regulations around the use of AI, with several  national laws currently in place. Currently, the  laws, regulations, and policies governing AI in  China are specific to AI use cases.  

• Algorithmic Recommendation Management  Provisions [IN FORCE] 

• Interim Measures for the Management of  Generative AI Services [IN FORCE] 

• Deep Synthesis Management Provisions [IN FORCE] 

• AI guidelines and summary of regulations  [IN FORCE] 

• Scientific and Technological Ethics Regulation [IN FORCE] 

• Next Generation AI Development Plan [IN FORCE] 

China established an AI standards committee,  drawing members from industry, such as Baidu,  Alibaba and Tencent - https://www.scmp.com/tech/big-tech/article/3290745/baidu-alibaba-tencent-executives-among-big-tech-members-new-china-ai-standards-committee, dated Dec 14 2024.

2025 Awareness Week: Artificial Intelligence in Personal Data Protection & Cybersecurity

Oct 20-24, 11:00-17:00,  2/F Main Library

CyberGuard & AI Capture Booth

Oct 22, 14:00-16:45, Seminar Room 2, 4/F HKUMed Academic Building

Data Protection Seminar: Emerging Risks in Data Protection in Healthcare - Please RSVP

Oct 24, 10:30-16:30, 2/F DIL

Data Protection Seminar: AI in Personal Data Protection & Cybersecurity

10:30-11:30 Mandarin session conducted by ADCC

11:30-12:30 Mandarin session by UDS

14:30-15:30 Cantonese session by UDS

15:30-16:30 English session by UDS

• An IT breach has exposed 430,000 Harrods customer's details

• The data does not include payment information or passwords

• Harrods is not engaging with the hackers

Luxury department store Harrods has confirmed it has been contacted by criminals claiming to have stolen the records of over 430,000 customers in an IT breach. The company said this breach is unconnected to the string of attacks which hit British high street retailers, including Harrods itself, M&S, and Co-Op, earlier in 2025.

Oct 10 2025 meeting topics - DAR, Inventory, PIA, Mandatory Training

RSVP - https://hkuems1.hku.hk/hkuems/ec_hdetail.aspx?ueid=102793 

====================================

From: Athene Cheung <athenec@hku.hk>
Sent: Friday, September 5, 2025 4:51 PM

Subject: Empowering data privacy - Sep 25, 11:00am - DAR, Inventory, PIA, Info Protection, Training-HKUEMS Registration

=====================================

From: Athene Cheung <athenec@hku.hk>
Sent: Tuesday, August 19, 2025 5:56 PM
Subject: Empowering data privacy - Sep 25, 11:00am - DAR, Inventory, PIA, Info Protection, 

1. DAR process walkthrough, Target: DAR responsible staff members

2. Data Inventory & retention – PRIVACY MGT PROGRAM | Dataprotectionoffice (2.1) to be updated annually, by Dec 2025. Note: Ben will share access with each coordinator for update (fall back to do file update as last year). Pls let us know for change of contacts here if any - Data Protection Coordinators Area | Dataprotectionoffice

3. PIA – ongoing for new projects

4. Information Protection – for confidential and restricted data

5. Data Protection Training for ALL staff – to be completed by Dec 2025

6. Bi-Annual reminder - HKU System and Practices | Dataprotectionoffice-under 07 Bi-annual reminder of data protection

Other updates:

1. Workshops with individual department - please check Training Schedule | Dataprotectionoffice.

2. HKU fiscal year July 2024 to June 2025 Mandatory data protection training for New Hired Staff – please see below summary. I will reach out to each faculty and share the results. Please support completion.

Air travel across several major European hubs has been severely disrupted after what is being described as a cyber-attack on a key service provider responsible for check-in and boarding systems. 

The incident, which has impacted airports including London’s Heathrow, Brussels Airport, and Berlin Brandenburg Airport, has led to widespread delays, cancellations, and operational bottlenecks as authorities scramble to restore systems and return flights to schedule. Passenger queues stretched longer than usual, and airport staff struggled to accommodate the sudden operational shift. Flights that were already on tight turnaround schedules faced unavoidable delays, while some departures were canceled outright as airlines prioritized safety and logistical feasibility over punctuality.

Additional news for the incident - https://www.computerweekly.com/news/366631592/Cyber-attack-that-downed-airport-systems-confirmed-as-ransomware

Emergency calls were offline for nearly 14 hours, during which four people died – including an eight-week-old baby. A fourth person died during Optus’s network outage on Thursday, its CEO has confirmed. Stephen Rue said in a statement released on Saturday afternoon that the telco was “saddened to learn of a new fatality in Western Australia, which appears to have occurred during the outage period”.

https://www.dailymail.co.uk/news/article-15116821/amp/optus-ceo-stephen-rue-outage-three-dead.html

Please have all full time staff members in your faculty, department or independent centre to complete mandatory data protection training by end 2025. Please click the single sign-on button on the page to get to the training platform - https://dpo.hku.hk/mandatory-dp-training.