Latest News

The PCPD concluded its investigation on Mar 12 2025, attributing the breach to the use of common modules in the system’s design, which inadvertently included excessive data fields.

A total of 109,002 individuals may have been affected, including 108,575 company directors whose HKID card numbers, passport numbers, and residential addresses were exposed. The breach was reported by the Companies Registry on April 19, 2024, after it identified a risk of personal data leakage in the e-Search Services of its e-Services Portal, following a system revamp launched in late 2023.

Given several security measures during system's revamp and the lack of evidence of unauthorized access, the PCPD found insufficient grounds to conclude that the Companies Registry had failed to take all practicable steps to safeguard personal data thus they are cleared of privacy violations.

The cryptocurrency exchange Bybit (Dubai based) was hacked for more than $1.4 billion worth of Ethereum in what cybersecurity experts are calling the largest-ever theft targeting a cryptocurrency platform. 

In a livestream to address the incident on Friday, Bybit CEO Ben Zhou confirmed that 401,000 ETH coins had been stolen. He assured customers that other wallets had not been impacted and said the exchange had enough liquidity to honor withdrawals and to survive the incident. The DeFi platforms Ronin Network and Poly Network each lost more than $600 million in hacks.

https://podcasts.apple.com/hk/podcast/data-privacy-matters-%E6%95%B0%E6%8D%AE%E9%9A%90%E7%A7%81abc/id1783777444

个人信息保护合规审计管理办法将在2025年5月1日生效

本期邀请数据合规资深专家赵老师，一起聊聊该个保审计的落地，数据合规技术工具的选择，以及数据合规和业务平衡的艺术。

1:42 数据合规审计的落地

13:25 数据合规技术工具的选择

21:10 数据合规与业务的平衡

China mandatory PIPL compliance audit requirements will be effective from 1 May 2025.

We have invited our friend Laoshi Zhao, who is an experienced data compliance expert in the industry to share his insights about how to implement the new audit requirements in the MNC environment.

A massive cybersecurity breach has compromised over 35,000 websites, injecting malicious scripts that completely hijack users’ browser windows and redirect them to Chinese-language gambling platforms.

Security experts suggest this campaign may be connected to the Megalayer exploit, known for distributing Chinese-language malware.

Website owners are advised to audit their source code for unauthorized script tags, block the malicious domains through firewall rules, regularly check for unauthorized file modifications, implement Content Security Policy restrictions, and perform frequent site scans using tools like PublicWWW or URLScan to uncover malicious injections.

Orange intiated an investigation and is working to minimize the impact of the incident. According to the threat actor, who uses the alias Rey and is a member of the HellCat ransomware group, the stolen data is mostly from the Romanian branch of the company and includes 380,000 unique email addresses, source code, invoices, contracts, customer and employee information. 

Rey says that they stole almost 12,000 files totaling close to 6.5GB after compromising Orange’s systems by exploiting compromised credentials, and vulnerabilities in the company’s Jira software for bug/issue tracking, and internal portals.

PCPD Prof Training (Charged) - Mar 5 Court cases & AAB Decisions

(1) Major data privacy issues raised in recent decisions of the Hong Kong Court and the Administrative Appeals Board

(2) In-depth discussion and interpretation of key provisions of the Personal Data (Privacy) Ordinance.

(3) Familiarisation of recent decisions that can serve as legal authorities and practical examples for solving problems encountered in compliance work.

PCPD Prof Training (Charged) - Mar 17 Data Access Request

Practical guidance on issues relating to compliance with a Data Access Request ("DAR") raised by customers or employees

Scammers often commit fraud by swindling or embezzling your personal data, such as name, identity card number, phone number, email address, credit card number and security code, etc. Therefore, you must always be vigilant, especially when using smartphones and social media, to prevent scammers from obtaining your personal data.

PCPD and Anti-Deception Coordination Centre (ADCC) of the Commercial Crime Bureau of the Hong Kong Police Force will discuss the latest trends of scams, using real cases as examples.

Invest Hong Kong (InvestHK) announced today (February 23) that an information security incident was identified yesterday (February 22). The incident involved a malicious ransomware attack to part of InvestHK's computer systems. InvestHK reported the case to the Police, the Digital Policy Office (DPO), PCPD and the Security Bureau respectively on the same day. 

Preliminary findings indicated that the affected areas included an internal Customer Relationship Management (CRM) system, intranet and part of InvestHK's website operations, such as the function to contact InvestHK via the website form and events updates. InvestHK's public services remain normal. Members of the public can continue to contact staff of InvestHK through telephone, email or face-to-face meetings.

Berry, Dunn, McNeil & Parker, LLC (BerryDunn) has agreed to settle a class action lawsuit that alleged negligence for failing to prevent a data breach that affected more than 1.1 million individuals (personal & health info). The accounting and consultancy firm that provides services to several industries, including health data analytics services to healthcare providers, health insurers, and government regulatory and healthcare policy agencies. 

Legal action was taken by individuals affected by the data breach and the lawsuits were consolidated into a single suit – In re: Berry, Dunn, McNeil & Parker Data Security Incident Litigation, in the U.S. District Court for the District of Maine. BerryDunn chose to settle the lawsuit with no admission of wrongdoing and liability to avoid the risks and costs associated with continuing the litigation.

https://www.tannerdewitt.com/artificial-intelligence-regulatory-landscape-in-china-and-hong-kong/

https://digital-strategy.ec.europa.eu/en/policies/regulatory-framework-ai

https://www.mfa.gov.cn/eng/wjbzhd/202412/t20241218_11497479.html

HK AI regulation - adopted a context-based approach. Regulators (PCPD) have published regulations & guidelines within existing frameworks in the development, supply and use of AI systems in HK.

China GenAI Regulation - Released on Sep 14, 2024, by the Cyberspace Administration of China (CAC) aims to standardise the labelling of AI-generated content to safeguard public interests and protect the rights of citizens, organisations, and legal entities.

The European AI Office, established in Feb 2024 within the Commission, oversees the AI Act’s enforcement. The AI Act entered into force on 1 Aug 2024, and will be fully applicable 2 years later on 2 Aug 2026. It sets out a clear set of risk-based rules to measure guarantee safety, fundamental rights and human-centric AI, and strengthen uptake, investment and innovation in AI across the EU.  

Republished on February 8th with new analysis into Google’s tracking cookie replacement and implications for Chrome’s 3 billion users. 

While there’s no agreed end-date to tracking cookies, Google has teased a one-click solution for users to stop being tracked. Think of this as its equivalent to App Tracking Transparency deployed by Apple. Google doesn’t need tracking cookies itself. It almost certainly knows who you are because you hold one of its accounts.

Meta has confirmed that a zero-click, no-interaction required hacking attack has impacted users of the WhatsApp secure messaging platform. Meta has not confirmed where they were located geographically although it is believed they were from more than 20 countries. Those users were compromised by spyware from an Israel-based software company called Paragon Solutions. Meta has issued a cease and desist letter to Paragon and is exploring further legal avenues. Paragon, meanwhile, is yet to comment.

12 Feb, 2:15–5:15pm, Face-to-Face - Data Protection in Human Resource Management

26 Feb, 2:15–5:15pm, Online - Data Protection in Direct Marketing Activities

5 Mar, 2:15–5:15pm, Online - Recent Court & Admin Appeals Board Decisions

12 Mar, 2:15–5:15pm, Online - Data Protection in Banking/Financial Services

19 Mar, 2:15–5:15pm, Face-to-Face - Data Protection & DAR

12 Feb - Professional Workshop on Data Protection in Human Resource Mgt

Key take-aways:

• A thorough understanding of the requirements of the PDPO and the Code of Practice on Human Resource Management when handling employees’ personal data in the entire employment process from cradle to grave

• How to properly handle Data Access Requests

• How to tackle employees’ personal data privacy issues arising from COVID-19

Presentation in Chinese only.

Additional info: 

https://www.hkcert.org/f/report/912892/916161/2024Q3%20HK%20SecurityWatchReport%20(Chinese).pdf

https://www.infosec.gov.hk/tc/knowledge-centre/data-breach

Seven cassettes of tapes were lost during the transportation from the Immigration Tower to the Queensway Government Offices on December 23 2024 in accordance with the recovery and backup procedures. The incident has been reported to the relevant authorities, including the Hong Kong Police Force, the Office of the Privacy Commissioner for Personal Data, the Security Bureau and the Digital Policy Office. PCPD received a notification of the data breach incident on 24 January and had initiated an investigation into the incident in accordance with established procedures.

In late December 2024, an unidentified threat actor used stolen credentials to access its PowerSchool Student Information System (SIS) platform. The information grabbed included names, postal addresses, grabbed in some districts Social Security numbers (SSN), personally identifiable information (PII), medical information, and grades.

Last news posted on July 29 2024-Oxfam HK revealing it suffered cyberattack

PCPD report - The investigation revealed that over 330 GB of data was exfiltrated potentially affected around 550,000 data subjects. Below deficiencies of Oxfam contributed to the occurrence of the Incident:

1. Outdated Firewalls which contained critical vulnerabilities;

2. Failure to enable multi-factor authentication;

3. Lack of critical security patches of servers;

4. Ineffective detection measures in the information systems;

5. Inadequacies of the security assessments of information systems;

6. Lack of specificity of its information security policy; and

7. Prolonged retention of personal data.

The government says it will look at how big the fines should be for companies that breach data protection laws to make sure they are acceptable to firms, while still having a deterrent effect.

LCQ2: Prevention of personal data breaches and financial crimes

https://www.info.gov.hk/gia/general/202501/22/P2025012200305.htm

Subsequent to the briefing for the Panel on Financial Affairs of the Legislative Council in October 2024, the Government is currently drafting the legislative amendments and will continue to engage the PCPD and other stakeholders to ensure that a balance is struck between fighting against financial crime and safeguarding personal data privacy in the legislative amendments.

PCPD received 1,158 enquiries relating to suspected personal data frauds in 2024 (793 in 2023); including

1. Fraudulent Recruitment Advertisements Scams

2. Scams Using Instant Messaging Applications (Apps)

3. Scams by Counterfeit Customer Service Agents/Online Auction Platforms

4. SMS/Email Scams

5. Telephone Scams

6. Scam Videos Using Artificial Intelligence (AI) Deepfake Technology

7. Scams on Social Media Platforms

Tips

1. Be vigilant

2. Authenticate the identity of callers

3. Keep an eye on your accounts and transaction records

4. Password protection

5. Smart use of social media and instant messaging apps

6. Fraud prevention information

The Volunteer Team of the PCPD visited St. James’ Settlement Wan Chai District Elderly Community Centre on 20 December and organised a Christmas fraud prevention gathering for around 200 elders. The event aimed to enhance the elderly’s awareness of fraud prevention in a lively and joyful way.

Powerpoint in Chinese only - https://www.pcpd.org.hk/english/news_events/media_statements/files/20241220_PC.pdf