Latest News

全国人民代表大会常务委员会关于修改《中华人民共和国网络安全法》的决定_中国人大网

http://www.npc.gov.cn/npc/c2/c30834/202510/t20251028_449048.html

《國家網絡安全事件報告管理辦法》合規要點：

適用範圍和事件報告主體（第2條， 第12條）

• 在中華人民共和國境內建設、運營網絡或者通過網絡提供服務的網絡運營者； 網絡運營者是指網絡的所有者、管理者和網絡服務提供者。

網絡安全事件（第12條）

• 是指由於人為原因、網絡遭受攻擊、網絡存在漏洞隱患、軟硬件缺陷或故障、不可抗力等因素，對網絡和信息系統或其中的數據和業務應用造成危害，對國家、社會、經濟造成負面影響的事件。

事件報告時限要求（第4條）

按照《網絡安全事件分級指南》進行研判，屬於較大以上網絡安全事件的：

• 涉及關鍵信息基礎設施的，網絡運營者應當第一時間向保護工作部門、公安機關報告，最遲不得超過1小時。屬於重大、特別重大網絡安全事件的，保護工作部門在收到報告后，應當第一時間向國家網信部門、國務院公安部門報告，最遲不得超過30分鐘。

• 網絡運營者屬於中央和國家機關各部門及其直屬單位的，應當及時向本部門網信工作機構報告，最遲不得超過2小時。屬於重大、特別重大網絡安全事件的，各部門網信工作機構在收到報告后，應當第一時間向國家網信部門報告，最遲不得超過1小時。國家網信部門收到報告后及時向有關部門通報。

• 其他網絡運營者應當及時向屬地省級網信部門報告，最遲不得超過4小時。屬於重大、特別重大網絡安全事件的，省級網信部門在收到報告后，應當第一時間向國家網信部門報告，最遲不得超過1小時，並同時向同級有關部門通報。

事件報告渠道 （第9條）

• 網信部門建設12387網絡安全事件報告熱線電話和網站、郵箱、傳真等方式，統一接收網絡安全事件報告。

處罰（第10條）

• 遲報瞞報從重處罰：因網絡運營者遲報、漏報、謊報或者瞞報網絡安全事件，造成重大危害後果的，對網絡運營者及有關責任人依法從重處罰。

• 及時報告可免於處罰：承擔網絡安全事件報告的部門未按照本辦法規定報告網絡安全事件的，依據有關法律、行政法規和網絡安全工作責任制追究相關單位和人員責任。

The Jaguar Land Rover (JLR) cyber attack a Category 3 Systemic Event on its “hurricane” scale and believes the overall financial cost to the economy adds up to about £1.9bn so far.

The cyber attack – linked to the loosely affiliated Scattered Lapsus$ Hunters hacking collective – shut down JLR’s assembly lines, with ripple effects spreading quickly across the UK’s automotive supply chain and harming more than 5,000 other organisations so far.

What this incident demonstrates is how a cyber attack on a single major manufacturer can cascade through thousands of businesses, disrupting suppliers, transport and local economies, and triggering billions in losses across the UK economy.

Source URL : Ransomware hits Cheung Sha Wan Vegetable Market, 7,000 users’ data at risk | The Standard

https://www.thestandard.com.hk/hong-kong-news/article/314195/

The gate and accounting systems at the Cheung Sha Wan Wholesale Vegetable Market were hit by a ransomware attack on Monday, potentially compromising the data of about 7,000 market users.

https://www.info.gov.hk/gia/general/202510/15/P2025101500574.htm?fontSize=1

The Vegetable Marketing Organization (VMO) announced today (October 15) that an information security incident involving a ransomware attack had been detected on part of its computer systems on October 13. Upon discovery, the VMO immediately suspended the operation of its network systems and disconnected relevant computer servers from external connections to prevent further hacker intrusion. The incident has been reported to the Police, the Hong Kong Computer Emergency Response Team Coordination Centre, and the Office of the Privacy Commissioner for Personal Data.

Force arrested 55 people between January 2022 and July this year for allegedly using fraudulent credentials at local universities.

Last year, HKU’s business school revealed that about 30 students were found to have used fraudulent qualifications to secure places.

PLEASE RSVP for the seminars:

Oct 22 in Sassoon campus especially for LKS Fac Medi and Fac Dentistry;

Oct 24 in DIL room on 2/F Main Library (same venue as Data Protection Coordinator Meeting today)

- Mandarin session: https://hkuems1.hku.hk/hkuems/ec_hdetail.aspx?UEID=103243

- Cantonese session: https://hkuems1.hku.hk/hkuems/ec_hdetail.aspx?UEID=103249

- English session: https://hkuems1.hku.hk/hkuems/ec_hdetail.aspx?UEID=97186

QR code for online / onsite questions - Questions will only be available on Oct 20.

This workshop provides a practical approach to the compliance of requirements under the ​PDPO in direct marketing activities and provides hands-on solutions to problems that marketers face in devising direct marketing activities. Conviction cases will also be shared with the participants.

Date: 22 October 2025 (Wednesday)

Time: 2:15pm - 5:15pm

Language: Cantonese

Format: Face-to-face

Legal practitioners and compliance officers often find themselves in practical need of keeping abreast of the latest decisions and the legal arguments of the court and the Administrative Appeals Board in relation to data privacy. Hosted by a PCPD lawyer, this workshop will let you take a deep-dive into the crunch issues in those cases and the commonly deployed provisions of the Personal Data (Privacy) Ordinance.

Date: 15 October 2025 (Wed)
Time: 2:15pm – 5:15pm

Language: Cantonese

On October 1, 2025, a Telegram channel linked to the Crimson Collective shared evidence of a breach targeting Red Hat’s private repositories.

According to the threat actor, they exfiltrated around 570 GB of data (compressed), from more than 28,000 Red Hat repositories, including Customer Engagement Reports (CERs) – consulting documents known to contain configuration files, network architecture, and even authentication tokens. A total of 800+ customers may be impacted, include commercial giants like IBM, Citi, Siemens, Bosch, and Verizon and U.S. government agencies including the NSA, Department of Energy, NIST, and others.

China has been proactive in adopting legislation  and regulations around the use of AI, with several  national laws currently in place. Currently, the  laws, regulations, and policies governing AI in  China are specific to AI use cases.  

• Algorithmic Recommendation Management  Provisions [IN FORCE] 

• Interim Measures for the Management of  Generative AI Services [IN FORCE] 

• Deep Synthesis Management Provisions [IN FORCE] 

• AI guidelines and summary of regulations  [IN FORCE] 

• Scientific and Technological Ethics Regulation [IN FORCE] 

• Next Generation AI Development Plan [IN FORCE] 

China established an AI standards committee,  drawing members from industry, such as Baidu,  Alibaba and Tencent - https://www.scmp.com/tech/big-tech/article/3290745/baidu-alibaba-tencent-executives-among-big-tech-members-new-china-ai-standards-committee, dated Dec 14 2024.

2025 Awareness Week: Artificial Intelligence in Personal Data Protection & Cybersecurity

Oct 20-24, 11:00-17:00,  2/F Main Library

CyberGuard & AI Capture Booth

Oct 22, 14:00-16:45, Seminar Room 2, 4/F HKUMed Academic Building

Data Protection Seminar: Emerging Risks in Data Protection in Healthcare - Please RSVP

Oct 24, 10:30-16:30, 2/F DIL

Data Protection Seminar: AI in Personal Data Protection & Cybersecurity

10:30-11:30 Mandarin session conducted by ADCC

11:30-12:30 Mandarin session by UDS

14:30-15:30 Cantonese session by UDS

15:30-16:30 English session by UDS

• An IT breach has exposed 430,000 Harrods customer's details

• The data does not include payment information or passwords

• Harrods is not engaging with the hackers

Luxury department store Harrods has confirmed it has been contacted by criminals claiming to have stolen the records of over 430,000 customers in an IT breach. The company said this breach is unconnected to the string of attacks which hit British high street retailers, including Harrods itself, M&S, and Co-Op, earlier in 2025.

Oct 10 2025 meeting topics - DAR, Inventory, PIA, Mandatory Training

RSVP - https://hkuems1.hku.hk/hkuems/ec_hdetail.aspx?ueid=102793 

====================================

From: Athene Cheung <athenec@hku.hk>
Sent: Friday, September 5, 2025 4:51 PM

Subject: Empowering data privacy - Sep 25, 11:00am - DAR, Inventory, PIA, Info Protection, Training-HKUEMS Registration

=====================================

From: Athene Cheung <athenec@hku.hk>
Sent: Tuesday, August 19, 2025 5:56 PM
Subject: Empowering data privacy - Sep 25, 11:00am - DAR, Inventory, PIA, Info Protection, 

1. DAR process walkthrough, Target: DAR responsible staff members

2. Data Inventory & retention – PRIVACY MGT PROGRAM | Dataprotectionoffice (2.1) to be updated annually, by Dec 2025. Note: Ben will share access with each coordinator for update (fall back to do file update as last year). Pls let us know for change of contacts here if any - Data Protection Coordinators Area | Dataprotectionoffice

3. PIA – ongoing for new projects

4. Information Protection – for confidential and restricted data

5. Data Protection Training for ALL staff – to be completed by Dec 2025

6. Bi-Annual reminder - HKU System and Practices | Dataprotectionoffice-under 07 Bi-annual reminder of data protection

Other updates:

1. Workshops with individual department - please check Training Schedule | Dataprotectionoffice.

2. HKU fiscal year July 2024 to June 2025 Mandatory data protection training for New Hired Staff – please see below summary. I will reach out to each faculty and share the results. Please support completion.

Air travel across several major European hubs has been severely disrupted after what is being described as a cyber-attack on a key service provider responsible for check-in and boarding systems. 

The incident, which has impacted airports including London’s Heathrow, Brussels Airport, and Berlin Brandenburg Airport, has led to widespread delays, cancellations, and operational bottlenecks as authorities scramble to restore systems and return flights to schedule. Passenger queues stretched longer than usual, and airport staff struggled to accommodate the sudden operational shift. Flights that were already on tight turnaround schedules faced unavoidable delays, while some departures were canceled outright as airlines prioritized safety and logistical feasibility over punctuality.

Additional news for the incident - https://www.computerweekly.com/news/366631592/Cyber-attack-that-downed-airport-systems-confirmed-as-ransomware

Emergency calls were offline for nearly 14 hours, during which four people died – including an eight-week-old baby. A fourth person died during Optus’s network outage on Thursday, its CEO has confirmed. Stephen Rue said in a statement released on Saturday afternoon that the telco was “saddened to learn of a new fatality in Western Australia, which appears to have occurred during the outage period”.

https://www.dailymail.co.uk/news/article-15116821/amp/optus-ceo-stephen-rue-outage-three-dead.html

Please have all full time staff members in your faculty, department or independent centre to complete mandatory data protection training by end 2025. Please click the single sign-on button on the page to get to the training platform - https://dpo.hku.hk/mandatory-dp-training.

The healthcare industry's rapid digital transformation, while unlocking incredible potential for patient care, has opened a new frontier of vulnerabilities. This critical seminar delves into the emerging risks that threaten the sanctity and security of sensitive health data. We will move beyond traditional IT concerns to explore the complex challenges posed by the proliferation of connected medical devices (IoMT), the adoption of AI and machine learning, sophisticated ransomware targeting critical care systems, and the immense difficulties of managing third-party vendor risk. Join us to gain essential insights into building a resilient, proactive security posture to protect patient trust and ensure compliance in an increasingly volatile landscape.

Date: Oct 22, 2025

Topic: Emerging risks in data protection and security in Healthcare

Venue: HKU Sassoon Seminar Room 2, 4/F 3 Sassoon Road

Language: English (or Cantonese depending on participation)

Face to Face & Online (Teams)

Time & proposed rundown. Please arrive before 2pm.

• 2:00 pm Reception

• 2:15 – 2:30pm opening by HKU CIO & University Librarian, Ms Flora Ng

Group Photo

• 2:45 – 3:30pm Speech by Dr. Joseph Ho, Union Hospital

• 3:30 – 4:15pm Speech by Dr. Summer Chan, Hospital Authority

• 4:15 – 4:45pm Q&A

Tea/drink gathering with speakers & senior management 5pm.

Target audience:

1. HKU LKS Faculty, departments & schools staff (mostly admin staff) & students

2. Faculty of Dentistry staff (mostly admin staff) & students

Please RSVP https://hkuems1.hku.hk/hkuems/ec_hdetail.aspx?UEID=103049

________________________________________________________________________________

Microsoft Teams Need help?

Join the meeting

https://teams.microsoft.com/dl/launcher/launcher.html?url=%2F_%23%2Fl%2Fmeetup-join%2F19%3Ameeting_YzMxNzY5MGMtN2ExNy00NTZmLWFkYjYtOWMzM2Y0N2M5NDVl%40thread.v2%2F0%3Fcontext%3D%257b%2522Tid%2522%253a%252242f9b54e-2477-41ba-bf09-7a0d2a83ff09%2522%252c%2522Oid%2522%253a%252205b220eb-c1d3-4911-a920-742639278ff9%2522%257d%26OR%3DOutlook%26anon%3Dtrue&type=meetup-join&deeplinkId=88710971-14bf-4574-8b2c-89d6a9896126&directDl=true&msLaunch=true&enableMobilePage=true&suppressPrompt=true

Meeting ID: 486 712 207 280 9

Passcode: tN7VN3rS

Two ethical hackers, known as BobDaHacker and BobTheShoplifter, recently revealed how easily they gained access to critical systems of Restaurant Brands International (RBI), the parent company of Burger King.

• Hard-coded passwords exposed Burger King’s fragile security infrastructure worldwide

• Hackers accessed employee accounts and internal configurations with shocking ease

• Plain-text passwords sent via email revealed careless cybersecurity practices

A quarter of a billion people, located in seven countries around the world, were at risk of identity theft, wire fraud, phishing, social engineering, and other forms of cybercrime due to a collection of misconfigured databases leaking all sorts of personal information.

• Security researchers at Cybernews found three servers holding a huge tranche of data on people in seven countries

• Names, ID numbers, and more, were being leaked to the public

• The archives are now locked down

The people are apparently from Turkey, Egypt, South Africa, Saudi Arabia, the United Arab Emirates, Mexico, and Canada, with those in the first three hit particularly badly, as they lost “full-spectrum” data.

Insightful read - 

M&S committed to compress two years of digital transformation into just six months.

Decision #1: Is Cybersecurity Treated as an IT Problem or a Business Imperative?

Decision #2: Is the Organization Investing in People or Just Perimeter Defenses?

Decision #3: Does the Organization Manage Vendor Risk or Just Hope for the Best?

Decision #4: Is the Organization Responding With Strategy?

Do Not Waste the Crisis

Google confirms data stolen in breach by known hacker group. Hackers used voice phishing to access Google’s internal Salesforce system and steal data.

The breach was carried out by ShinyHunters, a well-known cybercriminal group formally tracked as UNC6040. The group has recently been linked to a string of high-profile incidents involving companies such as AT&T, Ticketmaster, Allianz Life, and Pandora. In this case, the attackers targeted Google’s corporate Salesforce instance, a system the company uses to store contact information and notes about small and medium-sized businesses.

Cisco, Qantas, and Pandora have all reported similar breaches in recent months, which now appear to be part of a broader campaign targeting cloud-based customer relationship management tools.