top of page
dpo-bg3.jpg

Latest News

AI Governance Status - HK / Mainland China CAC / EU AI Act

12 Feb 2025

AI Governance Status - HK / Mainland China CAC / EU AI Act

https://www.tannerdewitt.com/artificial-intelligence-regulatory-landscape-in-china-and-hong-kong/

https://digital-strategy.ec.europa.eu/en/policies/regulatory-framework-ai

https://www.mfa.gov.cn/eng/wjbzhd/202412/t20241218_11497479.html


HK AI regulation - adopted a context-based approach. Regulators (PCPD) have published regulations & guidelines within existing frameworks in the development, supply and use of AI systems in HK.


China GenAI Regulation - Released on Sep 14, 2024, by the Cyberspace Administration of China (CAC) aims to standardise the labelling of AI-generated content to safeguard public interests and protect the rights of citizens, organisations, and legal entities.


The European AI Office, established in Feb 2024 within the Commission, oversees the AI Act’s enforcement. The AI Act entered into force on 1 Aug 2024, and will be fully applicable 2 years later on 2 Aug 2026. It sets out a clear set of risk-based rules to measure guarantee safety, fundamental rights and human-centric AI, and strengthen uptake, investment and innovation in AI across the EU.  

Google Starts Tracking All Your Devices In 10 Days

8 Feb 2025

Google Starts Tracking All Your Devices In 10 Days

Republished on February 8th with new analysis into Google’s tracking cookie replacement and implications for Chrome’s 3 billion users. 


While there’s no agreed end-date to tracking cookies, Google has teased a one-click solution for users to stop being tracked. Think of this as its equivalent to App Tracking Transparency deployed by Apple. Google doesn’t need tracking cookies itself. It almost certainly knows who you are because you hold one of its accounts.

Meta Confirms WhatsApp Hack—Act Now To Stay Safe

4 Feb 2025

Meta Confirms WhatsApp Hack—Act NowTo Stay Safe

Meta has confirmed that a zero-click, no-interaction required hacking attack has impacted users of the WhatsApp secure messaging platform. Meta has not confirmed where they were located geographically although it is believed they were from more than 20 countries. Those users were compromised by spyware from an Israel-based software company called Paragon Solutions. Meta has issued a cease and desist letter to Paragon and is exploring further legal avenues. Paragon, meanwhile, is yet to comment.

2025 Feb-Mar PCPD Professional Trainings

3 Feb 2025

2025 Feb-Mar PCPD Professional Trainings

12 Feb, 2:15–5:15pm, Face-to-Face - Data Protection in Human Resource Management

26 Feb, 2:15–5:15pm, Online - Data Protection in Direct Marketing Activities

5 Mar, 2:15–5:15pm, Online - Recent Court & Admin Appeals Board Decisions

12 Mar, 2:15–5:15pm, Online - Data Protection in Banking/Financial Services

19 Mar, 2:15–5:15pm, Face-to-Face - Data Protection & DAR


12 Feb - Professional Workshop on Data Protection in Human Resource Mgt

Key take-aways:

• A thorough understanding of the requirements of the PDPO and the Code of Practice on Human Resource Management when handling employees’ personal data in the entire employment process from cradle to grave

• How to properly handle Data Access Requests

• How to tackle employees’ personal data privacy issues arising from COVID-19

202411 PCPD Data Breach Incident Trends and Sharing (Chinese only)

3 Feb 2025

202411 PCPD Data Breach Incident Trends and Sharing (in Chinese only)

Official Receiver's Office Lost 7 Boxes of Backup Tapes Containing 76,000 Personal Information

27 Jan 2025

Official Receiver's Office Lost 7 Boxes of Backup Tapes Containing 76,000 Personal Information

Seven cassettes of tapes were lost during the transportation from the Immigration Tower to the Queensway Government Offices on December 23 2024 in accordance with the recovery and backup procedures. The incident has been reported to the relevant authorities, including the Hong Kong Police Force, the Office of the Privacy Commissioner for Personal Data, the Security Bureau and the Digital Policy Office. PCPD received a notification of the data breach incident on 24 January and had initiated an investigation into the incident in accordance with established procedures.

PowerSchool (education technology student info system) hack - 62M students_9M teachers affected

27 Jan 2025

PowerSchool (education technology student info system) hack - 62M students_9M teachers affected

In late December 2024, an unidentified threat actor used stolen credentials to access its PowerSchool Student Information System (SIS) platform. The information grabbed included names, postal addresses, grabbed in some districts Social Security numbers (SSN), personally identifiable information (PII), medical information, and grades.

PCPD Investigation Findings on the Data Breach Incident of Oxfam (refer to news posted dated July 29 2024)

24 Jan 2025

PCPD Investigation Findings on the Data Breach Incident of Oxfam (refer to news posted dated July 29 2024)

Last news posted on July 29 2024-Oxfam HK revealing it suffered cyberattack


PCPD report - The investigation revealed that over 330 GB of data was exfiltrated potentially affected around 550,000 data subjects. Below deficiencies of Oxfam contributed to the occurrence of the Incident:

  1. Outdated Firewalls which contained critical vulnerabilities;

  2. Failure to enable multi-factor authentication;

  3. Lack of critical security patches of servers;

  4. Ineffective detection measures in the information systems;

  5. Inadequacies of the security assessments of information systems;

  6. Lack of specificity of its information security policy; and

  7. Prolonged retention of personal data.

Data breach fines should not be too high or too low

23 Jan 2025

Data breach fines should not be too high or too low

The government says it will look at how big the fines should be for companies that breach data protection laws to make sure they are acceptable to firms, while still having a deterrent effect.


LCQ2: Prevention of personal data breaches and financial crimes

https://www.info.gov.hk/gia/general/202501/22/P2025012200305.htm

Subsequent to the briefing for the Panel on Financial Affairs of the Legislative Council in October 2024, the Government is currently drafting the legislative amendments and will continue to engage the PCPD and other stakeholders to ensure that a balance is struck between fighting against financial crime and safeguarding personal data privacy in the legislative amendments.



PCPD Tips to Prevent Fraud - Enquiries Soar by Over 40%

17 Jan 2025

PCPD Tips to Prevent Fraud - Enquiries Soar by Over 40% in 2024

PCPD received 1,158 enquiries relating to suspected personal data frauds in 2024 (793 in 2023); including

  1. Fraudulent Recruitment Advertisements Scams

  2. Scams Using Instant Messaging Applications (Apps)

  3. Scams by Counterfeit Customer Service Agents/Online Auction Platforms

  4. SMS/Email Scams

  5. Telephone Scams

  6. Scam Videos Using Artificial Intelligence (AI) Deepfake Technology

  7. Scams on Social Media Platforms

Tips

  1. Be vigilant

  2. Authenticate the identity of callers

  3. Keep an eye on your accounts and transaction records

  4. Password protection

  5. Smart use of social media and instant messaging apps

  6. Fraud prevention information

PCPD shared six tips on fraud prevention with the elderlies

2 Jan 2025

PCPD shared six tips on fraud prevention with the elderlies

The Volunteer Team of the PCPD visited St. James’ Settlement Wan Chai District Elderly Community Centre on 20 December and organised a Christmas fraud prevention gathering for around 200 elders. The event aimed to enhance the elderly’s awareness of fraud prevention in a lively and joyful way.


Powerpoint in Chinese only - https://www.pcpd.org.hk/english/news_events/media_statements/files/20241220_PC.pdf

Japan Airlines System Hit by Cyber Attack

27 Dec 2024

Japan Airlines System Hit by Cyber Attack

Japan Airlines (JAL) got attack, which began at 7:24 AM local time , targeted the airline’s internal and external network equipment, leading to system malfunctions that have impacted communication and operational processes.


JAL is the nation’s second-largest airline, reported a significant cyberattack on its systems early Thursday morning, causing disruptions to both domestic and international flight operations.


In 2022, a similar attack disrupted operations at a Toyota supplier, halting production at domestic plants for an entire day. More recently, in June 2024, the video-sharing platform Niconico suspended its services due to a large-scale cyberattack.

PCPD enforcement notices on “Blind” Recruitment Advertisements Posted on OnlineJobs DB

10 Dec 2024

PCPD enforcement notices on “Blind” Recruitment Advertisements Posted on OnlineJobs DB

PCPD has served enforcement notices on JobsDB and 3 recruiting organisations, directing them to take measures to remedy the contraventions and prevent recurrence and issued an advisory letter to each of the remaining five organisations.


PCPD call upon other operators of online recruitment platforms to:

  • Beware of anyone using Blind Ads to perpetrate frauds or collect personal data by unfair means; and

  • Carefully review recruitment advertisements received to identify Blind Ads and avoid publishing the same in order to protect the personal data privacy of members of the public.

The PCPD reiterated that Blind Ads may be used as an unscrupulous means to collect personal data and may be misused by swindlers to collect personal data for fraudulent activities. When job seekers are unable to ascertain the employers’ identities, they should check and verify the information contained in the Blind Ads carefully and should not respond to the Blind Ads arbitrarily and submit their personal data.

Privacy Commissioner confirms data breach affecting 17,000 individuals by EMSD

9 Dec 2024

Privacy Commissioner confirms data breach affecting 17,000 individuals by EMSD

PCPD has uncovered a significant data breach involving EMSD, affecting over 17,000 individuals who were subject to 14 compulsory testing during the pandemic from March to July 2022,  including names, addresses, identity card numbers, and phone numbers. 


This incident highlights four major deficiencies in the EMSD’s handling of personal data.

1. Lack of written policies on the retention of personal data collected in the RTD operations.

2. Failure to make unequivocal request to the contractor for deletion of the relevant data.

3. Failure to take the initiative to delete the personal data involved.

4. Failure to properly follow up with the contractor on the deletion of data.


Investigation report: https://www.pcpd.org.hk/english/enforcement/commissioners_findings/files/r24_06502_e.pdf

Deloitte Hacked – Brain Cipher Ransomware Group Allegedly Stolen 1 TB of Data

6 Dec 2024

Deloitte UK Hacked – Brain Cipher Ransomware Group Allegedly Stolen 1 TB of Data

Notorious ransomware group Brain Cipher has claimed to have breached Deloitte UK, allegedly exfiltrating over 1 terabyte of sensitive data from the professional services giant.


Brain Cipher is a ransomware group that emerged in June 2024, quickly gaining notoriety for its cyberattacks on organizations worldwide. Notably, it was responsible for a significant attack on Indonesia’s National Data Center, which disrupted services for over 200 government agencies, including immigration and passport control.


According to statements posted by Brain Cipher, the attack has exposed critical vulnerabilities in Deloitte UK’s cybersecurity infrastructure.

PCPD and HKPC Jointly Release “HK Enterprise Cyber Security Readiness Index and AI Security” Survey - 
Index has increased by 5.8 points to 52.8 points

2 Dec 2024

PCPD and HKPC Jointly Release “HK Enterprise Cyber Security Readiness Index and AI Security” Survey

The PCPD and HKPC jointly released the results of the “HK Enterprise Cyber Security Readiness Index and AI Security” survey on 21 November. The “HK Enterprise Cyber Security Readiness Index” has increased by 5.8 points to 52.8 points (maximum being 100 points) compared with last year. The index comprises four areas including “Policy and Risk Assessment”, “Technology Control”, “Process Control” and “Human Awareness Building”.


Full survey: https://www.pcpd.org.hk/english/resources_centre/publications/surveys/files/AISecuritySurvey2024.pdf


HKPC’s “Phishing Defence Services”: https://www.hkpc.org/en/our-services/digital-transformation/cyber-security/phishing-defence-services

Fintech For 45 Of 50 Top Banks Confirms Data Breach

21 Nov 2024

Fintech For 45 Of 50 Top Banks Confirms Data Breach

Finastra, a global leader in financial technology that serves 45 of the world’s top 50 banks, has confirmed a major data breach impacting its internal file transfer system SFTP. The London-based firm, which facilitates vital banking and wire transfers for over 8,100 financial institutions worldwide, detected the breach on Nov. 7. 


The breach targeted Finastra’s internally hosted Secure File Transfer Platform, or SFTP, which was exploited using stolen credentials—essentially, a username and password.

Facebook Data Breach Fallout—Millions May Receive Compensation

19 Nov 2024

Facebook Data Breach Fallout—Millions May Receive Compensation

Facebook's ongoing privacy struggles, a German court has ruled that users affected by the massive 2019 data breach can seek compensation without proving specific damage, as reported by Bloomberg. This ruling represents a meaningful shift in how tech companies may be held accountable for data protection failures.


The 2019 breach exposed the personal information of 533 million Facebook users across 157 countries through a technique known as "scraping." The scope of exposed information was extensive, including full names, phone numbers, locations, birth dates, email addresses and biographical information.

2019 - https://www.forbes.com/sites/ajdellinger/2021/04/03/personal-date-of-533-million-facebook-users-leaks-online/


Amazon confirms employee data breach after vendor hack

12 Nov 2024

Amazon confirms employee data breach after vendor hack

Amazon confirmed a data breach involving employee information after data allegedly stolen during the May 2023 MOVEit attacks was leaked on a hacking forum. The threat actor Nam3L3ss, published over 2.8 million lines of Amazon employee data, including names, contact information, building locations, email addresses, and more.


Amazon spokesperson Adam Montgomery confirmed Nam3L3ss' claims, adding that this data was stolen from systems belonging to a third-party service provider. 


Nam3L3ss has also leaked the data from twenty-five other companies. However, they say some of the data was obtained from other sources, including ransom gangs' leak sites and exposed AWS and Azure buckers.

Personal data of 148,000 people leaked in breach at two HK hearing centres

5 Nov 2024

Personal data of 148,000 people leaked in breach at two HK hearing centres

Widex Hong Kong Hearing and Speech Centre and subsidiary Starry Hearing and Speech Centre say they were among outlets suffered a ransomware attack on July 5 that had encrypted their internal system data and impacted their applications.


The Office of the Privacy Commissioner for Personal Data estimated on Nov 4 that about 148,000 customers and 30-50 current and former employees had been affected.


Widex is a Denmark-based company that was founded in 1956 and specialises in hearing aids and related services. Its Hong Kong branch was established in 1986 and is one of the first private institutions to offer hearing and speech therapy services in the city. 

Copyright @2024 The University of Hong Kong. All Rights Reserved.
bottom of page