Latest News

Modified data protection training will be released to all staff (including new hired staff) in mid Jan 2026. Please stay tuned for the announcement. 

Please visit dpo.hku.hk or email group-its-dpo@hku.hk for inquiries.

Gartner is warning organizations to block AI browsers due to significant cybersecurity risks. 

These browsers, which integrate AI-powered features like summarization and autonomous task completion, pose threats such as data exposure, phishing attacks, and unauthorized transactions. The risks stem from AI browsers' tendency to prioritize user experience over security, making them vulnerable to prompt injection attacks and data leaks including user credentials that open businesses and individuals to further danger.

Gartner advises organizations to conduct thorough risk assessments and implement strict policies to mitigate these risks. However, even with precautions, the risks associated with AI browsers may outweigh their benefits, leading Gartner to recommend blocking them for the foreseeable future.

Park Dae-jun has resigned as chief executive of South Korean retail giant Coupang after a data breach exposed the personal information of more than half of the country’s population.

The retail giant, often compared to Amazon for its dominance in South Korean e-commerce and logistics, last month revealed details of a data breach affecting close to 34 million people. The breach allegedly began in June but wasn’t noticed until November, when Coupang initially said over 4,500 customers had their data stolen. The company later revised that figure dramatically upward.

The Coupang hack is the latest in a string of security incidents affecting corporate giants and the central government across the country this year, including a data center fire that led to a massive, irretrievable loss of South Korean government data.

Many of the world's top artificial intelligence companies are accidentally publishing their passwords and digital keys on GitHub. The problem was found by security researchers at Wiz who examined 50 leading AI firms, and discovered that 65% of them had accidentally exposed highly sensitive information online.

The information that the companies have accidentally leaked included API keys, tokens, and other credentials capable of granting access to internal systems, training data, or even private AI models.

The affected companies are worth over US $400 billion in total, with major names such as Anthropic (the makers of Claude), Glean, and Crusoe Energy amongst those examined.

it is these AI companies that are developing the technology increasingly integrated into our personal and professional lives. It powers the chatbots, recommendation systems, decision-making tools, and more that are likely to be integral to your business and will continue to be increasingly important in the future.

• Date & time: Dec 17, 10:30am-12pm

• RSVP: https://hkuems1.hku.hk/hkuems/ec_hdetail.aspx?ueid=104153 (online/onsite)

• Venue: DIL room, 2/F Main Library

• Agenda covers data protection basic training, DAR, CCTV guidelines, use case

過去一周，警方接獲逾40宗釣魚騙案，騙款超過600萬港元。有市民收到「假冒煤氣公司」的釣魚短訊，訛稱「本期燃氣費用逾期未交，於指定日期前繳費，避免出現逾期費用」。有受害人信以為真，誤信自己欠交上期煤氣費用，遂點擊釣魚短訊內的超連結，被轉至假冒煤氣公司的頁面，按指示輸入電話號碼、信用卡號碼、安全碼（CVV/CVC）及一次性密碼（OTP）等個人資料。直至銀行職員聯絡，驚覺其信用卡曾有多次可疑交易，始知受騙。

This is part of the broader Digital Omnibus Proposal to simplify and streamline EU laws on AI, data, digital, and cyber.

Top 5 proposed EU AI Act changes

1. 𝗧𝗶𝗺𝗲𝗹𝗶𝗻𝗲 𝗰𝗵𝗮𝗻𝗴𝗲𝘀 (Article 113): The obligations for providers and deployers of high-risk AI systems currently due to apply from 2 August 2026 to be delayed to either:

a) 6-12 months after technical standards for high-risk AI requirements are approved; or

b) 2 Dec 2027 (in Annex III) and 2 Aug 2028 (in Annex I).

2. 𝗗𝗼𝘄𝗻𝗴𝗿𝗮𝗱𝗶𝗻𝗴 𝗔𝗜 𝗟𝗶𝘁𝗲𝗿𝗮𝗰𝘆 𝗼𝗯𝗹𝗶𝗴𝗮𝘁𝗶𝗼𝗻𝘀 (Article 4): encourage providers and deployers of AI systems to take measures to ensure a sufficient level of AI literacy.

3. 𝗘𝗨 𝗔𝗜 𝗢𝗳𝗳𝗶𝗰𝗲 𝘀𝗰𝗼𝗽𝗲 𝗲𝘅𝗽𝗮𝗻𝘀𝗶𝗼𝗻 (Article 75): by designating the AI Office (part of the European Commission) as the the authority responsible for supervision and enforcement.

4. 𝗟𝗶𝗺𝗶𝘁𝗶𝗻𝗴 𝗿𝗲𝗴𝗶𝘀𝘁𝗿𝗮𝘁𝗶𝗼𝗻 𝗶𝗻 𝗽𝘂𝗯𝗹𝗶𝗰 𝗘𝗨 𝗱𝗮𝘁𝗮𝗯𝗮𝘀𝗲 (Article 6): they will still have to provide evidence of this derogation assessment upon request.

5. 𝗣𝗿𝗼𝗽𝗼𝗿𝘁𝗶𝗼𝗻𝗮𝗹𝗶𝘁𝘆 𝗳𝗼𝗿 𝘀𝗺𝗮𝗹𝗹 𝗺𝗶𝗱-𝗰𝗮𝗽𝘀 (𝗦𝗠𝗖𝘀) (Article 99): defined as companies that employ up to 750 people and have an annual turnover of under €150 million).

Graphic from https://siliconangle.com/2025/11/19/eu-revise-gdpr-ai-act-part-regulatory-simplification-push/

First Post - Nov 6 2025

Second Post - Nov 20 2025

=========================

Date & Time: 2 December 2025 (Tue), 3:00 pm – 5:00 pm

Speakers: 

- Ms Kaisy HUNG, Senior Statistician (IT Services), Census and Statistics Department

- Mr Rick CHAN, Chief Systems Manager (Project Governance and Cybersecurity), DPO

- Don TAI, Senior Manager (Infrastructure and Information Security), HK Genome Institute

- Mr LEUNG Wai-kin, General Manager (Customer Services), The HK Electric Company, Limited

Key Topics:

• Practical strategies for implementing proactive and effective data governance to properly manage vast amount of personal data

• Real-life examples of privacy-by-design and privacy-by-default

• Privacy controls/measures taken to enhance data security and prepare for future privacy challenges

Please REACH OUT TO group-ITS-DPO@hku.hk if you want to join for free (FYI Each DPOC member can register up to 3 free seats)

Nov 2025

Nov 25 - DAR walkthrough for UHS

Dec 2025

Dec 12 - Data Protection session at HRO Induction
Dec 16 - Data Protection session with Faculty of Science
Dec 17 - Data Protection workshop with Hall Managers

Mar 2026 

Mar 5 - Data Protection Workshop for Faculty of Social Science

Clop (sometimes written “Cl0p”) is a known for its multilevel extortion techniques and global malware distribution. 

The NHS appears alongside other names, one of which, US newspaper The Washington Post, has confirmed that it fell victim to a Cl0p attack orchestrated via two distinct vulnerabilities in Oracle’s E-Business suite, patched earlier in the autumn. NHS England’s digital teams published an advisory notice covering the Oracle bugs – CVE-2025-53072 and CVE-2025-62481 as on 23 October.

Quick summary

- Researchers find 65% of the Forbes top 50 AI companies are leaking secrets

- These come in the form of tokens, API keys, and sensitive credentials

- Wiz used a '‘Depth, Perimeter, and Coverage' approach to spot leaks

According to Forbes, top 50 leading AI companies as a benchmark, the experts uncovered nearly two-thirds (65%) of these top AI firms were leaking verified secrets on GitHub. These tokens, sensitive credentials, and API keys were found buried deep in places most researchers and scanners would never encounter, like deleted forks, developer repos, and gists.

Quick ref here & Information will be posted in DPO website - "Resources CCTV - https://dpo.hku.hk/cctv-surveillance":

- “Guidance on the Use of CCTV Surveillance”: https://www.pcpd.org.hk/english/resources_centre/publications/files/guidance_cctv_surveillance.pdf
- “Tips on the Use of CCTV Surveillance” information leaflet: https://www.pcpd.org.hk/english/resources_centre/publications/files/tips_on_cctv_surveillance.pdf
-  “Guidance on the Use of Video Cameras on Drones and Vehicles”: https://www.pcpd.org.hk/english/resources_centre/publications/files/guidance_cameras_vehicles.pdf
-  “Responsible Use of Drones and In-Vehicle Cameras” information leaflet: https://www.pcpd.org.hk/english/resources_centre/publications/files/responsible_vehicle_cameras.pdf

If YOU do not wish to authorise LinkedIn to use YOUR personal data for training generative AI models, please follow below steps to change the default settings to withdraw your consent.

1. Go to the “Data privacy” in your account settings, then select “Data for Generative AI Improvement” to locate the toggle switch.

2. Turn off “Use my data for training content creation AI models” to withdraw your consent.

Please reach out to DPO office (group-its-dpo@hku.hk) for inquiries if require.

The Cl0p leak website contains links to 2.7 TB of archive files storing information allegedly obtained from Emerson and 116 GB of archive files with information allegedly belonging to Schneider Electric.

On October 28, 2025, the Standing Committee of the National People’s Congress passed the latest amendment to the Cybersecurity Law of the PRC, which—for the first time—explicitly includes artificial intelligence in the core legal framework of national cybersecurity.

A newly added Article 20 states:

“The State supports basic theoretical research and key technologies in artificial intelligence such as algorithms, promotes the construction of data resources and computing infrastructure, improves ethical norms for AI, strengthens risk monitoring, assessment, and security supervision, and promotes the application and healthy development of AI.”

Companies will likely face future requirements for AI safety assessments, algorithm filing, and ethical review.

全国人民代表大会常务委员会关于修改《中华人民共和国网络安全法》的决定_中国人大网

http://www.npc.gov.cn/npc/c2/c30834/202510/t20251028_449048.html

《國家網絡安全事件報告管理辦法》合規要點：

適用範圍和事件報告主體（第2條， 第12條）

• 在中華人民共和國境內建設、運營網絡或者通過網絡提供服務的網絡運營者； 網絡運營者是指網絡的所有者、管理者和網絡服務提供者。

網絡安全事件（第12條）

• 是指由於人為原因、網絡遭受攻擊、網絡存在漏洞隱患、軟硬件缺陷或故障、不可抗力等因素，對網絡和信息系統或其中的數據和業務應用造成危害，對國家、社會、經濟造成負面影響的事件。

事件報告時限要求（第4條）

按照《網絡安全事件分級指南》進行研判，屬於較大以上網絡安全事件的：

• 涉及關鍵信息基礎設施的，網絡運營者應當第一時間向保護工作部門、公安機關報告，最遲不得超過1小時。屬於重大、特別重大網絡安全事件的，保護工作部門在收到報告后，應當第一時間向國家網信部門、國務院公安部門報告，最遲不得超過30分鐘。

• 網絡運營者屬於中央和國家機關各部門及其直屬單位的，應當及時向本部門網信工作機構報告，最遲不得超過2小時。屬於重大、特別重大網絡安全事件的，各部門網信工作機構在收到報告后，應當第一時間向國家網信部門報告，最遲不得超過1小時。國家網信部門收到報告后及時向有關部門通報。

• 其他網絡運營者應當及時向屬地省級網信部門報告，最遲不得超過4小時。屬於重大、特別重大網絡安全事件的，省級網信部門在收到報告后，應當第一時間向國家網信部門報告，最遲不得超過1小時，並同時向同級有關部門通報。

事件報告渠道 （第9條）

• 網信部門建設12387網絡安全事件報告熱線電話和網站、郵箱、傳真等方式，統一接收網絡安全事件報告。

處罰（第10條）

• 遲報瞞報從重處罰：因網絡運營者遲報、漏報、謊報或者瞞報網絡安全事件，造成重大危害後果的，對網絡運營者及有關責任人依法從重處罰。

• 及時報告可免於處罰：承擔網絡安全事件報告的部門未按照本辦法規定報告網絡安全事件的，依據有關法律、行政法規和網絡安全工作責任制追究相關單位和人員責任。

The Jaguar Land Rover (JLR) cyber attack a Category 3 Systemic Event on its “hurricane” scale and believes the overall financial cost to the economy adds up to about £1.9bn so far.

The cyber attack – linked to the loosely affiliated Scattered Lapsus$ Hunters hacking collective – shut down JLR’s assembly lines, with ripple effects spreading quickly across the UK’s automotive supply chain and harming more than 5,000 other organisations so far.

What this incident demonstrates is how a cyber attack on a single major manufacturer can cascade through thousands of businesses, disrupting suppliers, transport and local economies, and triggering billions in losses across the UK economy.

Source URL : Ransomware hits Cheung Sha Wan Vegetable Market, 7,000 users’ data at risk | The Standard

https://www.thestandard.com.hk/hong-kong-news/article/314195/

The gate and accounting systems at the Cheung Sha Wan Wholesale Vegetable Market were hit by a ransomware attack on Monday, potentially compromising the data of about 7,000 market users.

https://www.info.gov.hk/gia/general/202510/15/P2025101500574.htm?fontSize=1

The Vegetable Marketing Organization (VMO) announced today (October 15) that an information security incident involving a ransomware attack had been detected on part of its computer systems on October 13. Upon discovery, the VMO immediately suspended the operation of its network systems and disconnected relevant computer servers from external connections to prevent further hacker intrusion. The incident has been reported to the Police, the Hong Kong Computer Emergency Response Team Coordination Centre, and the Office of the Privacy Commissioner for Personal Data.

Force arrested 55 people between January 2022 and July this year for allegedly using fraudulent credentials at local universities.

Last year, HKU’s business school revealed that about 30 students were found to have used fraudulent qualifications to secure places.

PLEASE RSVP for the seminars:

Oct 22 in Sassoon campus especially for LKS Fac Medi and Fac Dentistry;

Oct 24 in DIL room on 2/F Main Library (same venue as Data Protection Coordinator Meeting today)

- Mandarin session: https://hkuems1.hku.hk/hkuems/ec_hdetail.aspx?UEID=103243

- Cantonese session: https://hkuems1.hku.hk/hkuems/ec_hdetail.aspx?UEID=103249

- English session: https://hkuems1.hku.hk/hkuems/ec_hdetail.aspx?UEID=97186

QR code for online / onsite questions - Questions will only be available on Oct 20.