Latest News

人工智能（AI）的應用在日常生活中愈來愈普及。AI雖然為我們帶來便利，但同時亦衍生不少個人資料私隱風險，包括資料外洩、過量收集資料、未經同意使用個人資料，以及資料準確性等問題。不法之徒甚至利用AI深偽技術進行詐騙，令市民防不勝防。

為協助公眾了解如何在AI時代「自保」，應對AI時代的私隱新挑戰，個人資料私隱專員（私隱專員）鍾麗玲女士將主講是次講座，透過真實個案，深入淺出講解AI所帶來的私隱風險，並分享如何保障個人資料安全，私隱專員亦會就企業如何安全地使用AI提供建議及最佳行事常規。

歡迎對議題有興趣的公眾人士及機構參加。名額有限，先到先得。報名請按：

https://www.pcpd.org.hk/spec_event/spec_event94_apply_cn.php

• NASCAR files reports with state regulators confirming April 2025 attack

• The company is offering free credit monitoring for affected victims

NASCAR has confirmed it suffered a cyberattack and a data breach in April 2025 which saw personal information of racing fans allegedly stolen. 

In April 2025, the group added NASCAR to its data leak site and demanded $4 million in ransom. Ransomware operators known as Medusa had claimed responsibility several months ago.

The data breach was only related to Allianz Life according to the German parent company. Hackers have stolen personal information of 1.4 million customers in North America and selected Allianz Life employees using a social engineering technique as said by its parent company.

"On July 16, 2025, a malicious threat actor gained access to a third-party, cloud-based CRM system used by Allianz Life Insurance Company of North America (Allianz Life)," Allianz said in a statement to the BBC.T

Hong Kong's flagship carrier has apologised over a data breach that led to frequent flyer miles being stolen and personal information of about 1,000 members exposed.

Cathay Pacific on Thursday said it was alerted to "fraudulent activities" on some membership accounts that "led to unauthorised access to personal data and theft of Asia Miles".

Data accessed by unauthorised parties included personal particulars and travel details, according to the carrier, but no credit card information was exposed.

Qantas CEO Vanessa Hudson has apologised to customers over a data breach but says the threat has been contained and the airline's systems are now secure.

Ms Hudson says Qantas has invested tens of millions of dollars in cybersecurity but criminals have become more sophisticated.

The airline is working with the federal government and AFP to hunt down the cybercriminals involved.

The data of around 420,000 Hong Kong customers of Louis Vuitton were leaked from a breach, the city's privacy watchdog confirmed on Saturday. The breach was first detected by Louis Vuitton's global headquarters on June 13. LVHK was then notified of the incident on July 2 in turn they reported the case to PCPD.

The office said the data leaked included customers' names, passport numbers, dates of birth, addresses, email addresses phone numbers, transaction records and product preferences.

McDonald’s “McHire” job application service was accessed by researchers last month using the password “123456,” potentially exposing more than 64 million records.

The Olivia chatbot was built by Paradox.ai, which took responsibility for the issue in a security update Wednesday, saying a legacy password for the test account and an API endpoint vulnerability exposed “information related to chat interactions.”

The eight data security incidents:
1. The doctor of a medical diagnostic centre did not log out of the system before leaving the examination room; patients information is exposed.
2. A tour guide distributed group electronic flight tickets to tour members however expose personal data of all tour members
3. When handling a complaint about parking matter, a security guard disclosed the complainant’s phone number to another carpark tenant.
4. A medical institution failed to properly apply the appropriate setting in the “View Summary of Responses” function during the collection online that expose personal data of over 100 registrants.
5. A government department did not follow the established procedures in folding letters expose the complainant’s HKID card number visible through the envelope window.
6. An insurance company printed documents on recycled papers, which were obsolete resumes and HKID card copies & exposed personal data.
7. A retailer sent a promotional email to its members but sent to all members (1000) in the recipient field & all emails are exposed.
8. Owing to a wrong script applied to the membership accounts system of an airline company, account information is exposed to other members.

Data security pitfalls may lie in any single procedure of work. PCPD makes six recommendations to organisations of all sectors:
1. Incorporate the protection of personal data privacy into the core values of the organisation
2. Enhance the awareness and capabilities of employees to protect privacy through training
3. Develop clear and easy-to-understand work guidelines
4. Adopt technical security measures
5. Regularly monitor, assess and improve compliance with data security policy
6. Develop a comprehensive data breach response plan

立法會今日（9日）通過無約束力議員議案，促政府研訂立網絡安全法，建完善反網絡詐騙體系。保安局局長鄧炳強透露，法改會正進行第二階段研究，聚焦於利用電腦網絡擴大犯罪規模的傳統罪行，如設立仿冒詐騙網站等犯罪行為。

提出議案的科技創新界議員邱達根建議，要防範網上騙案，必須由「事後封鎖」改為「事前封鎖」，要將責任加到營運商上，營運商要主動透過科技及同工具由源頭封鎖，當見到有可疑廣告、網站或用AI分析過去曾經封鎖過的相關內容，營運商不再受理。

At-a-glance

• Cyber attack on M&S involved ‘sophisticated impersonation’, chairman tells MPs

• Thompsons Solicitors launching class action against M&S after April’s cyberattack exposed customer data

• Names, emails, addresses, and birth dates stolen — raising concerns over identity fraud and phishing scams

• M&S admits fault, estimating the breach could cost the company around £300 million

• Customers urged to beware of fake emails offering gifts; experts stress verifying sender details before clicking links

• M&S hopes to fully restore digital operations by August, following shutdowns to contain the breach

Researchers have just confirmed what could be the largest leak ever, with an almost incredulous 16 billion login credentials, including passwords, exposed. According to Vilius Petkauskas at Cybernews, who says researchers have been investigating the leakage since the start of the year, “30 exposed datasets containing from tens of millions to over 3.5 billion records each,” have been discovered. In total, Petkauskas has confirmed, the number of compromised records has now hit 16 billion.

CSTCB will continue to lead the development of the cybersecurity ecosystem.

Key Cybersecurity Data

• Among the 33,903 technology crime cases recorded by Hong Kong Police Force in 2024, there were 112 destructive cyberattacks, including 61 “Hacking activities”, 46 “Ransomware” and 5 “Distributed denial-of-service (DDoS) attacks” cases.

• In 2024, CSTCB processed over 25 million pieces of cyber threat intelligence, averaging more than 68,000 pieces per day. Among these, CSTCB identified over 440,000 cyber threats targeting Hong Kong.

• Analysis of cybersecurity incidents revealed three recurring issues: Inadequate access control and configuration, Outdated and unpatched systems, Lack of effective threat detection mechanisms

• Over 90,000 Internet-facing assets of Hong Kong's critical infrastructures were assessed and that 5% had varying degrees of system vulnerabilities. Among the discovered vulnerabilities, 89% were classified as medium and low risk, and 11% were identified as critical and high risk.

Cyber Threat Forecast for the Coming Year

• Surging AI-powered cyber threats and AI system risks

• Ransomware attacks remain prevalent

• Increasing Web3-related cyberattacks

• Escalating IoT security risks

• Growing supply chain and third-party risks

• Intensifying cloud security and hybrid work risks

• Emerging attacks on critical infrastructures

Register now at: https://www.pcpd.org.hk/english/education_training/organisations/workshops/workshop.php

In a world increasingly driven by artificial intelligence (AI), our faces, voices and even patterns of digital movements are no longer just personal identifiers but raw material. Scraped from the nooks and crannies of the internet, this data is repurposed as training material or synthetic content through a slew of affordable AI tools.

The bi-annual reminder is updated in DPO website - https://dpo.hku.hk/governance/hku-system-and-practices. Please check.

News is only available in Chinese.

傳統名校英皇書院爆出考試洩題風波。校方昨日（17日）向家長發出通告，承認有教師在Google Classroom上載練習資料時，意外將中四中文科期終考試的作文題目一併上載，導致試題外洩。 為力求公平，校方安排重考，並以兩次中較高分者為準。此舉引發學生不滿，怒轟校方未徹查，令誠實應考的無辜者慘成代罪羔羊，做法實為懲罰，有欠公允。TOPick曾向校方查詢，但發稿前未收到相關回應。

A ransomware attack between July and August 2024 affecting McLaren Health Care and Karmanos Cancer Institute has resulted in a mammoth data breach affecting nearly 750,000 people.

Hackers stole the data of 743,131 people, including their Social Security numbers, health insurance information, driver's license details, names and medical data.

The attack has been linked to the INC ransomware gang, however McLaren's public statement failed to directly attribute the attack to any group.

Please register via QR code. Look forward to your participation!

- First posted on Apr 23 

- Re posted on June 11 - panel change: a moderator with 3 speakers 

The hackread.com research team first spotted the leak on 15 May 2025. It surfaced on a well-known Russian cybercrime forum, only to be reposted on 3 June. That’s when it began circulating widely across dark web channels. The dataset includes Full names, Dates of birth, Phone numbers, Email addresses, Physical addresses and most alarmingly: 44 million Social Security Numbers in plain text. These records are neatly organized into three CSV files. Structured. Easy to read. Easy to exploit.

The Cybernews research team’s latest findings reveal the supermassive data leak:

• Hundreds of millions of users are likely exposed

• Data leak contained billions of documents with financial data, WeChat and Alipay details.

• The Cybernews research team believes the dataset was meticulously gathered and maintained for building comprehensive behavioral, economic, and social profiles of nearly any Chinese citizen.

A humungous, 631GB-strong database was left without a password, publicizing mind-boggling 4 billion records. The dataset was meticulously gathered and maintained for building comprehensive behavioral, economic, and social profiles of nearly any Chinese citizen.