Latest News
8 May 2024
PCPD Seminar on “Lessons from Data Breach Cases and Recommended Data Security Measures”
PCPD notes that cyberattacks on the information systems of organisations occurred from time to time, resulting in the leakage of personal data. These incidents were generally caused by the organisations’ failures to adopt adequate and effective organisational or technical security measures to protect their information systems, or by the negligence or error of staff members.
Ms Ada CHUNG Lai-ling, the Privacy Commissioner, and Mr Brad KWOK, Chief Personal Data Officer of the PCPD will talk about lessons learnt from data breach cases which occurred in recent years, and elaborate on the causes of the data breaches and the remedial measures taken. The speakers will also provide their recommendations on how to enhance cybersecurity and data security measures, as well as highlight the key points in preventing and handling data breach incidents.
Date: 23 May 2024 (Thursday)
Time3:00 pm – 4:15 pm
7 May 2024
FSD - Hong Kong fire service reports potential leak of personal data of 5,000 staff, members of public
Hong Kong fire service reports potential leak of personal data of 5,000 staff, members of public
It is third online security incident concerning government departments revealed in a week
Latest incident occurred on Friday when an outsourced contractor handled data migration procedure, Fire Services Department says
The department added that 960 incomplete identity card numbers of staff were also involved.
In Chinese: https://www.hk01.com/%E7%A4%BE%E6%9C%83%E6%96%B0%E8%81%9E/1017020
5 May 2024
EMSD_CR incidents related-Gov Departments Review Personal Data Storage and Information Security urged by HKGCIO
The Office of the Government Chief Information Office has requested all government departments to comprehensively review information security and personal data storage public cloud platforms within a week.
Additional information:
3 May 2024
CR Companies Registry's e-services maintained after earlier incident of personal data leakage
The Company Registry has reported the case to the Security Bureau, the Office of the Government Chief Information Officer and the Office of the Privacy Commissioner for Personal Data.
As of May 3, the Companies Registry (CR) said today that urgent maintenance of its e-Services Portal to block any risk of further leakage of personal data had been completed. The CR had also completed the relevant investigation.
Other information:
Company Registry System 3 Vulnerability 110,000 directors' personal information leaked Name ID card for viewing - https://www.hk01.com/article/1016277?utm_source=01articlecopy&utm_medium=referral
3 May 2024
Hacker-hit Hong Kong consumer watchdog ordered to fix data security problems within 2 months
Hong Kong’s consumer watchdog breached privacy rules when the personal information of more than 470 people was leaked in a cybersecurity attack. Email alert system also failed to notify watchdog of attack last September, with council only learning about incident once US$500,000 ransom request was sent
2 May 2024
Consumer Council-PCPD Publishes Findings on the Data Breach Incident
The Privacy Commissioner has served an Enforcement Notice on the Consumer Council, directing it to remedy the contravention and prevent similar recurrence of the contravention.
Adopt multi-factor authentication for remote access to information and communications systems to minimise the risk of attacks targeting information systems;
Establish a robust cybersecurity framework, allocate sufficient resources and formulate effective strategies and measures to prevent, detect and respond to cyberattacks, thereby reducing the possibility of cyberattacks and the risk of data leakage;
Conduct regular risk assessments and security audits of information systems;
Establish a corporate culture that values data security; and
Devise effective training plans to enhance staff awareness and competence in data security and personal data protection.
30 Apr 2024
Hong Kong Arts Development Council attacked maliciously by hackers. No data breach or lost reported.
Hong Kong Arts Development Council stated that the incident was happened last Friday.; immediately activated its emergency response mechanism to prevent further intrusion by the hackers. It also commissioned network security experts for t a comprehensive investigation and reported to PCPD, Hong Kong Police and Culture, Sports and Tourist Board.
26 Apr 2024
Health conglomerate Kaiser notifies millions of a data breach
April 25 (Reuters) - U.S. health conglomerate Kaiser is notifying millions of its members of a data breach earlier this month, it reported in a notice posted on Thursday.
The Kaiser Foundation Health Plan confirmed that 13.4 million residents had their information taken in a data breach, as per a legally required notice filed with the U.S. government on April 12 and reported on Thursday.
22 Apr 2024
Personal information of parents, staff at 127 schools accessed in data security breach (at Mobile Guardian)
SINGAPORE: A data breach at one of its vendors has resulted in the "unauthorised access" of names and email addresses of parents and staff from five primary schools and 122 secondary schools, the Ministry of Education (MOE) said on Friday (Apr 19).
MOE said it was notified by Mobile Guardian that its user management portal had been breached on Wednesday, with the incident occurring at the company's headquarters in Surrey, United Kingdom.
15 Apr 2024
Law firm Orrick agrees to $8 mln settlement over breach of client data
U.S. law firm Orrick, Herrington & Sutcliffe has agreed to pay $8 million to settle class action claims from people who said their personal information was compromised in a breach of some of the firm's client data, according to a proposed settlement, opens new tab filed Thursday in San Francisco federal court.
Hackers accessed the names, addresses, dates of birth, and Social Security numbers of more than 600,000 people that were contained in files held by Orrick, the plaintiffs said, opens new tab. Orrick detected the data breach in March 2023.
Plaintiffs alleged Orrick did not inform them of the data breach until late June last year. Thursday's court papers said that "by January 2024, Orrick had sent notice letters to impacted individuals consistent with its data breach notification obligations."
12 Apr 2024
PCPD Seminar Presentation on “Cross-boundary Flow of Personal info within GBA”
The gov CIO, Ir. Tong Wong, JP was invited to provide an overview of the facilitation measures of the Standard Contract (SC) Within GBA. The Privacy Commissioner, Ms Ada CHUNG Lai-ling, and Senior Legal Counsel (Acting) of the PCPD, Ms Clemence Wong, also explained the obligations and responsibilities of contracting parties under the GBA SC.
https://www.pcpd.org.hk/english/whatsnew/files/20240409_PCPD.pdf
https://www.pcpd.org.hk/english/whatsnew/files/20240409_OGCIO.pdf
(only Chinese version is available)
5 Apr 2024
Hackers gain access to sensitive data of DOST Department of Science and Technology in Philippines
Hackers believed to be operating within the country illegally gained access to the network of the government agencies including the Department of Science and Technology (DOST), compromising 2-terabyte worth of data, including research plans, designs and schematics, the Department of Information and Communications Technology (DICT) confirmed on Wednesday.
3 Apr 2024
PCPD Investigation Report of Cyberport Ransomware Attack
https://www.pcpd.org.hk/english/news_events/media_statements/press_20240402.html
Investigation Report: https://www.pcpd.org.hk/english/enforcement/commissioners_findings/files/r24_12170_e.pdf - Deficiencies include:
Lack of effective detection measures in Cyberport’s information systems;
Failure to enable MFA for remote access ;
Insufficient security audits of the information systems;
Lack of concrete cybersecurity framework; and
Unnecessary retention of personal data
1 Apr 2024
AT&T says a data breach leaked millions of customers’ information online
NEW YORK (AP) — The theft of sensitive information belonging to millions of AT&T’s current and former customers has been recently discovered online. AT&T said that a dataset found on the “dark web” contains information including some Social Security numbers and passcodes for about 7.6 million current account holders and 65.4 million former account holders.
Full names, email addresses, mailing address, phone numbers, dates of birth and AT&T account numbers may have also been compromised. The impacted data is from 2019 or earlier and does not appear to include financial information or call history, the company said.
27 Mar 2024
Presentation on Mar 19 PCPD Seminar on “Responding to Cyber Security Threats and Data Breaches”
Presentation link (Chin)
https://www.pcpd.org.hk/english/whatsnew/files/Brad_240319.pdf
https://www.pcpd.org.hk/english/whatsnew/files/HKIRC_Arktos_240319.pdf
PCPD/HKIRC Topical Seminar on “Responding to Cyber Security Threats and Data Breaches” registration - https://www.pcpd.org.hk/spec_event/spec_event76_apply.php
26 Mar 2024
New PCPD training workshops - Personal Data Privacy Management Programme, Property Management
New workshops in https://dpo.hku.hk/pcpd-training
Data Protection in Property Management Practices
Personal Data Privacy Management Programme
26 Mar 2024
4 Effective Ways To Defend Your Business From Data Breaches
EY’s Emerging Tech at Work 2023 survey reveals that 89% of employees believe adopting emerging tech benefits their company. Still, cybersecurity risk can be a barrier to adoption.
According to the same EY survey, approximately 73% of employees are concerned about the cybersecurity risks associated with generative AI, and 78% worry about quantum computing.
1. Start with clear-cut training
2. Shield the cloud
3. Monitor for data leaks
4. Minimize data retention
20 Mar 2024
South China Athletic Association: Hong Kong privacy watchdog probes data breach involving loss of 70,000 members’ personal information
Hong Kong’s privacy watchdog is investigating a large-scale data breach at a prominent sports club involving the loss of about 70,000 members’ personal information, including identity card and passport details.
The Office of the Privacy Commissioner for Personal Data on Tuesday also urged members of the South China Athletic Association (SCAA) to report any suspicious activity, a day after the club announced the data leak.
The breach includes possible theft of information such as members’ names, identity card and passport numbers, and addresses, as well as their contact details.
ENG - https://www.scmp.com/news/hong-kong/society/article/3255944/hong-kong-privacy-watchdog-probes-data-breach-prominent-sports-club-involving-loss-about-70000
CN - https://news.rthk.hk/rthk/ch/component/k2/1745249-20240319.htm
18 Mar 2024
Thousands of Nissan customers have had their data stolen in cyberattack
The cyberattack on Nissan Motor Corporation and Nissan Financial Services in Australia and New Zealand, which happened in December 2023 resulted in the theft of sensitive data belonging to roughly 100,000 people, the company has confirmed.
In early December last year, Japanese car manufacturing giant said it was investigating a possible data breach. In an update posted on its website Nissan on Mar 14 said it had started notifying affected individuals, with data stolen from customers, current and former employees, as well as some dealers. Customers include owners of Mitsubishi, Renault, Skyline, Infiniti, LDV, and RAM brands, the company noted. Nissan believes that roughly 10% of the victims have had “some form of government identification” compromised. That includes 4,000 Medicare cards, 7,500 driver’s licenses, 220 passports, and 1,300 tax file numbers.
13 Mar 2024
Acer confirms Philippines employee data leaked on hacking forum
Acer Philippines confirmed that employee data was stolen in an attack on a third-party vendor who manages the company's employee attendance data after a threat actor leaked the data on a hacking forum.
A threat actor known as 'ph1ns' published a link to download a stolen database containing Acer employee data for free on a hacking forum.
Acer is a Taiwanese maker of computer hardware and electronics. Earlier today,