The PCPD concluded its investigation on Mar 12 2025, attributing the breach to the use of common modules in the system’s design, which inadvertently included excessive data fields.
A total of 109,002 individuals may have been affected, including 108,575 company directors whose HKID card numbers, passport numbers, and residential addresses were exposed. The breach was reported by the Companies Registry on April 19, 2024, after it identified a risk of personal data leakage in the e-Search Services of its e-Services Portal, following a system revamp launched in late 2023.
Given several security measures during system's revamp and the lack of evidence of unauthorized access, the PCPD found insufficient grounds to conclude that the Companies Registry had failed to take all practicable steps to safeguard personal data thus they are cleared of privacy violations.