Latest News

Privacy Watchdog PCPD says exposure of personal data, information on dismissal is a breach of data protection rules. An enforcement notice was sent to A security service company after an employee's termination letter was sent to a group chat, exposing her personal data and information relating to her dismissal to colleagues.

Data protection breaches in Hong Kong

In 2025, the office received a total of 4,228 complaints and handled 17,691 public enquiries. Public enquiries received included:

• Collection and use of personal data (28%)

• Complaint handling policy of the PCPD (15%)

• Access to and correction of personal data (6%)

• Installation and use of CCTV (5%)

The PCPD also addressed enquiries on the handling of personal data in employment cases (5%).

Over just a few days, MoltBot has reached roughly 98,000 GitHub stars, 13,600 forks, and more than 350,000 NPM downloads (plus 27,471 direct GitHub downloads) – as of publication time, and still climbing – which we estimate corresponds to roughly 300k–400k users, derived from NPM and GitHub download counts. That adoption matters because MoltBot works by asking users to provide highly sensitive credentials and API keys – effectively the keys to their digital lives – and it is built to ingest input from multiple sources and take actions across connected accounts.

Series One – “Happy Sharing on Digital Security”

The PCPD dialogue with the winning organisations of the “Privacy-Friendly Awards 2025”, starting from 26th January.

Series Two – “Privacy Classroom”

The PCPD has engaged Program Hosts to offer practical tips on topics like the use of AI, fraud prevention and combatting doxxing offences. The “Privacy Classroom” will be broadcast on CR1 and CR2 starting from April.

Data Protection office suggest departments to review below measures since they may apply for job applications especially non-full time jobs through social media platforms - 

==========================

The PCPD reminds the public for below when applying for jobs through social media platforms and instant messaging groups to safeguard their personal data privacy:

1. Authenticate the identity of the recruiter or intermediary

2. Avoid disclosing personal data arbitrarily

3. Retain communication records

4. Fraud prevention information

The incident of a Russia-based hacking group known as Lockbit 3.0 led to a temporary shutdown of operations as authorities scrambled to mitigate broader delays in the shipment of goods. Ransomware, a form of malware that locks users out of files or systems until a ransom is paid, has become increasingly concerning for shipping networks amid growing automation trends in Asian ports. 

Expert assessments reveal that remote access vulnerabilities, particularly in VPNs and desktop protocols, are frequent targets for ransomware attackers, constituting around 80% of such breaches in Japan. Mihoko Matsubara, a chief cybersecurity strategist at NTT, emphasized the importance of companies regularly updating and patching software to protect against these threats.

Cantonese ONLY

2026年2月5日（星期四）

下午3:00至4:30

網上視像／實體（地址：香港灣仔皇后大道東248號大新金融中心12樓私隱專員公署演講廳）

講者：

• 陳永安先生 — 關鍵基礎設施（電腦系統安全）專員

• 鍾麗玲女士 — 個人資料私隱專員

講座重點：

• 《保護關鍵基礎設施（電腦系統）條例》簡介

• 何謂「關鍵基礎設施」

• 關鍵基礎設施營運者的責任

• 提升機構網絡安全的建議

• 怎樣預防及處理資料外洩事件

The Department of Education in Victoria, Australia, notified parents that attackers accessed a database containing the personal information and email addresses of current and former students, prompting password resets. Types of data include students' names, school names, year levels, and school-issued email addresses, encrypted passwords for accounts that use them. 

While the Department of Education didn't share how many students were affected by the data breach, Victoria's government school system serves approximately 650,000 students across over 1,500 schools.

A data breach at Central Maine Healthcare (CMH) exposed sensitive information of more than 145,000 individuals. The CMH integrated healthcare delivery system serves at least 400,000 people and manages hospitals like Central Maine Medical Center (CMMC), Bridgton Hospital, and Rumford Hospital.

On December 29, CMH published a statement informing that the security incident exposed data types, which may vary per individual: Full names, Dates of birth, Treatment information, Dates of service, Provider names, Health insurance information, Social Security Number (SSN).

March 2026 delivered a surge in cyber threats targeting users and organizations alike from banking apps hijacked to siphon personal data, to trusted domains exploited for phishing redirects.

1. Fake Banking App Targeting Android Users via Telegram

2. Trusted Websites Exploited for Malicious Redirects

3. Fake Booking.com Pages Delivering XWorm and Stealing Card Data

The Office of the Privacy Commissioner for Personal Data uncovered a data breach by the Electrical and Mechanical Services Department (EMSD), exposing sensitive information of over 17,000 individual

1. Data Breach Details and Personal Data Violations

2. EMSD’s Failures and the Privacy Commissioner’s Response

3. Enforcement Notice and Corrective Actions

4. The Importance of Data Protection and Compliance

Data Breaches From December 2025

Petco Breach Exposes Sensitive Customer Data

University of Phoenix: 3.5M Individuals Impacted

Inotiv Pharma Firm Suffers Ransomware Breach

SoundCloud Member Data Breach

SitusAMC Data Breach

Data Breaches From November 2025

University of Pennsylvania Data Breaches: Two Hits in November

Nikkei Data Breach: Slack App Hack

CBO Cybersecurity Incident

Washington Post Employee Data Breach

SitusAMC Data Breach

DoorDash Data Breach

Please visit below link for video and AI guidelines.

• https://youtu.be/SAu0iobgwdA?list=PLji3ZNFIgt6qmOaygRfFCNUC2t5SgCue9

• https://dpo.hku.hk/pcpd-ai-framework

• https://its.hku.hk/download/?wpdmdl=60645 (p.26 of Data Protection Essential Items presentation in https://dpo.hku.hk/hku-data-protection-awareness-event

• https://www.pcpd.org.hk/english/whatsnew/20251223.html

The University of Phoenix suffered a major data breach exposing the personal data of over 3.5 million individuals (current students, former attendees, and university staff).  

Notification letters sent to those impacted that mentioned “… unauthorized third-party exploited a previously unknown software vulnerability in Oracle EBS to exfiltrate certain data from within the University’s Oracle EBS environment”.

The University of Phoenix breach reflects a broader trend across education and public-sector organizations, where attackers increasingly target data-rich environments that often lag in security modernization and continuous monitoring.

How Organizations can reduce risk

• Strengthen identity, access, and privilege controls 

• Improve detection and visibility by continuous monitoring, centralized logging, extended log retention, and behavioral analytics

• Limit breach impact through data minimization, strong encryption at rest and in transit, and clearly defined data retention and deletion policies.

• Segment networks, applications, and sensitive data environments to restrict lateral movement and contain unauthorized access.

• Conduct exercises focused on silent data exfiltration, validating forensic readiness, and testing response workflows.

• Implementing data loss prevention controls, monitoring third-party access, and providing timely identity protection support to affected individuals.

All data protection coordinators 

- please be reminded to have the yearly Data Inventory (for Restricted and Confidential data according to ISDM classification) READY by Dec 31 2025

https://www.pcpd.org.hk/english/education_training/organisations/workshops/workshop.php for all upcoming professional workshops.

Date: 7 Jan 2026 (Wed), Time: 2:15pm – 5:15pm

Key takeaways:

• An overview of the data protection provisions

• Recent topical issues on data privacy

• Liabilities of insurance companies and insurance practitioners

• Useful pointers on Personal Information Collection Statement

• Collection of customers’ medical data

• Collection of Hong Kong identity card number and copy

• Engagement of private investigators in insurance claims

• Retention of customers’ personal data

• Use of customers’ data for internal training

• Security of customers’ personal data handled by staff and agents

• Handling of data access requests from customers

• Data Ethics

Deepfakes may cause harm to others, particularly children and youngsters, if used abusively. Children and youngsters may even create or share malicious deepfakes without realising the potential legal consequences of using deepfakes. The PCPD has published the Toolkit to provide practical advice to schools and parents, with a view to assisting them in handling deepfake incidents involving children and young people, as well as safeguarding their privacy in relation to personal data.

https://www.pcpd.org.hk/english/resources_centre/publications/files/ai_deepfake.pdf

The investigation arose from a complaint received by the PCPD consequent upon the discovery by a member of the Centre on 16 July 2025 that a CCTV camera was installed in the proximity of a male restroom of the Ma On Shan branch (the Branch) of the Centre, causing him discomfort and concerns about being recorded while using the restroom.

The Centre implemented the remedial actions:-

(1) installed a wooden door at the entrance of the restroom concerned to fully enclose the interior of the restroom;
(2) removed the door mistakenly installed at the entrance of the corridor and placed separate restroom signages outside the three male restrooms; and
(3) repositioned the CCTV camera to the ceiling outside the entrance of the restroom, ensuring it would not capture any area inside the three restrooms.

TIps on CCTV Surveillance

https://www.pcpd.org.hk/english/resources_centre/publications/files/tips_on_cctv_surveillance.pdf

Guidance on the Use of CCTV Surveillance

https://www.pcpd.org.hk/english/resources_centre/publications/files/guidance_cctv_surveillance.pdf

LKQ is the Fortune 500 company provides recycled, refurbished, and aftermarket components for cars and other types of vehicles. The firm told the Maine Attorney General’s Office that the personal information of more than 9,000 individuals was compromised in the attack.

SecurityWeek reached out to LKQ for comment multiple times since it was named on the Cl0p website in late October, but the company has not responded.

In a security advisory, Cisco said it discovered a hacking campaign on December 10 targeting Cisco AsyncOS software, and in particular the physical and virtual appliances Cisco Secure Email Gateway, Cisco Secure Email, and Web Manager. The advisory said affected devices have a feature called “Spam Quarantine” enabled and are reachable from the internet.

Kevin Beaumont, a security researcher who tracks hacking campaigns, told TechCrunch that this appears to be a particularly problematic hacking campaign since a lot of big organizations use the affected products, there are no patches available, and it’s unclear how long the hackers had backdoors in the affected systems.