Latest News

The allegations were published yesterday by a threat actor named "grep," alleged to hold 20 GB of data, including source code, credentials, private keys, API keys, employee data, T-Mobile virtual machine logs, documents, and more.

"grep", claimed another high-profile data breach on September 9, 2024, when he posted data allegedly stolen from the French IT giant Capgemini.

Earlier this year, Dell suffered a data breach after a company API was abused to steal 49 million customer records.

The Central and Western District Office said it received a report from the contractor on Monday (Sep 16). The personal data of 306 hirers for the Sai Ying Pun Community Hall is at risk of exposure following the loss of a USB device by a facility management services contractor employee. The USB contains the name of the organization, booking date and time of the event, names and phone numbers of the contact persons for the 306 applicants.

With the adoption of artificial intelligence (AI) on the rise, many businesses are using AI or exploring the advantages of using AI to improve their operations.

To assist businesses in using AI while safeguarding personal data privacy, PCPD organises this sharing session to discuss the rise of AI and the privacy risks it poses, and introduce the PCPD’s recently published “Artificial Intelligence: Model Personal Data Protection Framework”. HSBC representative is also invited to share their practical experiences in developing, procuring and using AI in a privacy-friendly manner, as well as how to strike a balance between leveraging the benefits of AI and safeguarding personal data privacy.

The breach reportedly occurred in September 2024, when an Apache Solr server was inadvertently exposed to the internet with default login credentials, allowing unauthorized access. 

IntelBroker, who is associated with the BreachForums community, shared proof of access to these sensitive communications on the platform. BreachForums has been a hub for cybercriminals since its inception. 

The compromised data includes email addresses, internal settings, and communications between intranet users. 

Fortinet on Thursday confirmed suffering a data breach impacting customers.

The hacker, who uses the online moniker ‘Fortibitch’, made the announcement on a popular hacking forum and claimed that the data — 440 Gb in total — came from an Azure Sharepoint instance. The threat actor indicated that the decision to make the stolen data available came after Fortinet refused to pay a ransom. The hacker has shared information for accessing an AWS S3 bucket that allegedly stores the data, but SecurityWeek has not attempted to access it. Several users of the hacker forum complained about not being able to gain access to the files.

https://www.pcpd.org.hk/english/data_privacy_law/code_of_practices/code_data_1.html

Compliance Guide for Data Users - As the Hong Kong Identity Card (ID Card) contains sensitive personal data and the leakage of such data may lead to identity theft and perpetration of fraud. Organisations should be particularly careful when they collect and handle the ID Card data of members of the public.

https://www.pcpd.org.hk/english/data_privacy_law/code_of_practices/files/ID_Leaflet_e.pdf (v2)

https://www.pcpd.org.hk/english/data_privacy_law/code_of_practices/files/picode_en.pdf (v1)

Code of Practice leaflet is to provide advices for listed situations. The indiscriminate collection and improper handling of HKID Card numbers and copies may unduly infringe the privacy of the individuals, and create opportunities for fraud. 

During the first half of 2024, the PCPD received nearly 600 enquiries relating to fraudulent activities targeting the personal data of the enquirers, which represented an increase of nearly 90% when compared to 312 cases year-on-year. Scams include using instant messaging applications (Apps), on Social Media Platforms, scam videos using (AI), telephone ccams

6 essential tips to safeguard personal data privacy:

1. Be vigilant

2. Keep an eye on your accounts and transaction records

3. Password protection

4. Smart use of social media and instant messaging apps

5. Authenticate the identity of callers

6. Fraud prevention information

7 foundational principles of Privacy by Design for developing the ICT systems or applications - 

https://www.pcpd.org.hk/english/resources_centre/publications/files/Guide_to_DPbD4ICTSystems_May2019.pdf

1. Proactive and Preventive
2. Data Protection as the Default
3. End-to-end Security
4. Data Minimisation

5. User-centric
6. Transparency
7. Risk Minimisation

More countries recognizing evolving technology landscape and the importance of protecting personal data by taking significant steps to enhance their legal infrastructure. This article for Data Protection and Cyber Security Laws in Saudi Arabia listed out the principles of privacy and safety in personal affairs. 

Below listed 3 areas that Hong Kong has covered while Saudi Arabia has 2 more comprehensively covered their bigger territory.

1. Personal Data Protection Regulation - HK PCPD measures

2. Anti-Cyber Crime Law - HK Critical Infrastructure Bill (to be official before end 2024)

3. Framework and controls designed for the management, governance, and safeguarding of personal data to optimize data structuring across diverse government bodies - HK PCPD AI Framework & collaboration with other gov departments

A UN committee approved the first worldwide treaty on cybercrime on Aug 8 despite opposition from human rights groups and a coalition of tech companies. The treaty was adopted by consensus after three years of negotiations but still needs to face a vote from the General Assembly in the fall. It needs to be ratified by 40 nations there.

The convention establishes “a global criminal justice policy,” to protect society against cybercrime by “fostering international cooperation,” according to the treaty draft. 

Organisational data users should embrace personal data privacy protection as part of their corporate governance responsibilities and apply them as a business imperative throughout the organisation.  The formulation and maintenance of a comprehensive Personal Data Privacy Management Programme (PMP) is of paramount importance.

Course outline:

• What is PMP

• Baseline Fundamentals of a PMP

• Appointment of Data Protection Officer

• Ongoing Assessment and Revision

• How to develop your own PMP

• Data Ethics

(1) Data Breach Incidents of The Council of the Hong Kong Laureate Forum Limited - submitted to the PCPD on 27 September 2023, reporting that its computer systems and file servers had been attacked by ransomware (the Incident).

The Incident affected the personal data of 8,122 individuals, which included approximately 7,200 e-newsletter subscriberss. The personal data affected included names, addresses, email addresses, telephone numbers, passport information, full/partial passport/HKID Card) no, bank account/credit card info, dates of birth, nationalities/places of birth, CVs/transcripts, affiliated organisations and/or academic backgrounds.

The following deficiencies of the Council were the contributing factors:-

• Deficiencies in information system management;

• Lax monitoring of the data security measures adopted by the service vendor;

• Lack of policies and guidelines on information security; and

• Lack of appropriate data backup solutions

(2) The Ransomware Attack on the Servers of HKB

The investigation submitted to the PCPD on 16 October 2023, reporting that HKB suffered from a ransomware attack on 29 Sep 2023, which affected four physical servers of the information systems of HKB. On 17 Sep 2023, the hacker deployed (via domain admin) “LockBit” ransomware on HKB’s information systems, which resulted in the encryption of files and exfiltration of data and files stored therein.

The following deficiencies were the contributing factors:-

1.  Outdated operating software of the Server;
2.  Unnecessary exposure of the Server to the Internet during system migration performed by the service vendor;
3.  Lack of monitoring of the data security measures adopted by the service vendor; and
4.  Absence of security assessments and security audits of the information systems, 

Additional info - https://www.thestandard.com.hk/breaking-news/section/4/219202/Hong-Kong-Laureate-Forum-and-HK-Ballet-criticised-over-privacy-breach

Reposted on Aug 2 for presentation materials

Please click here for the Privacy Commissioner’s presentation deck (Chinese only) - https://www.pcpd.org.hk/english/whatsnew/files/20240730_AISeminar_PC_2.pdf

Please click here for Dr Tang’s presentation deck (Chinese only) - https://www.pcpd.org.hk/english/whatsnew/files/20240730_PPT_DrArvinTANG_Rev.pdf

Posted on July 12

Registration - https://www.pcpd.org.hk/spec_event/spec_event82_apply.php

With the rapidly increasing use of artificial intelligence (AI), businesses of all sizes have begun to explore the potential of the technology into their operations. However, some oragnisations remain hesitant owing to concerns over compliance with regulations, including the Personal Data (Privacy) Ordinance.

To assist organisations in adopting AI while safeguarding the personal data privacy of individuals, the Office of the Privacy Commissioner for Personal Data (PCPD) is organising this seminar where Ms Ada CHUNG Lai-ling, the Privacy Commissioner for Personal Data, will introduce the PCPD’s newly published “Artificial Intelligence: Model Personal Data Protection Framework”. The Privacy Commissioner will introduce the best practices for any organisations procure, implement and use AI systems (including generative AI) that involve the use of personal data. In addition, Dr Arvin TANG, Director of Multimedia Systems and Analytics of Artificial Intelligence and Trust Technologies from Hong Kong Applied Science and Technology Research Institute (ASTRI) will offer practical experience on how AI could be developed and applied in a privacy-friendly manner.

The PCPD joined the Global Privacy Enforcement Network (GPEN) earlier to conduct a global privacy protection sweep (Sweep) on more than 1,000 websites and mobile applications (apps) globally under the theme of “Deceptive Design Patterns”.

A global joint report was issued today upon completion of the Sweep. A total of 52 authorities was coordinated jointly by GPEN and the International Consumer Protection and Enforcement Network (ICPEN). 

The participating enforcement authorities encourage businesses to design their online platforms or apps in a manner that enables users to make informed privacy-protective choices that reflect their preferences. Good privacy-protective designs include:

1. Make the most privacy-protective option as the default choice;

2. Emphasise the provision of privacy options to users;

3. Avoid using biased language and design, and present privacy choices in a fair and transparent manner;

4. Allow users to easily find privacy information, log out, or delete an account without the need for multiple clicks; and

5. Provide timely relevant consent options to users.

https://www.pcpd.org.hk/misc/dpoc/newsletter.html

The Sweep report is here - https://www.privacyenforcement.net/content/2024-gpen-sweep-deceptive-design-patterns-reports-english-and-french.

The Hong Kong branch of international charity Oxfam has revealed that it suffered a cyberattack with investigations under way to determine whether personal data was leaked. The charity first revealed the attack in a statement on its website on Saturday, but it was more widely reported on Friday when an email concerning the case was sent to potential victims. Charity says it discovered the incident on July 10 which affected several systems, including the one used for the Oxfam Trailwalker. Oxfam Hong Kong said it immediately launched an investigation and engaged independent cybersecurity experts to conduct an assessment of the affected systems to assess the impact of the attack and offer remedies.

The April 2024 MediSecure data breach involved ransomware, 6.5 TB of data taken, about 12.9 million records exposed, which just behind the massive Canva breach in May 2019. 

An incident analysis has since determined that at least one of the company’s database servers was hit with ransomware. However the general lack of structure to the data sets may actually be helping to shield victims, however, as it can be difficult to tie details to individual identities. - The data breach included details on prescriptions from March 2019 to November 2023, such as the drug types and dosages issued and with dates issued and patient conditions related to the prescription. 

PCPD What's New (pcpd.org.hk) - https://www.pcpd.org.hk/english/whatsnew/20240715.html

Reaching out to Universities – PCPD and the University of Hong Kong Jointly Organise the “Seminar on Personal Data Privacy and Protection in Higher Education"

The Office of the Privacy Commissioner for Personal Data (PCPD) and Information Technology Services – Data Protection Office of the University of Hong Kong (HKU) co-organised the “Seminar on Personal Data Privacy and Protection in Higher Education” on 11 July, which attracted more than 120 participants from the higher education sector.

At the seminar, Ms Clemence WONG, Acting Senior Legal Counsel of the PCPD, provided the participants with an overview of the six data protection principles and the requirements for cross-border transfers of personal data from Hong Kong under the Personal Data (Privacy) Ordinance, as well as the facilitation measures of the Standard Contract for Cross-boundary Flow of Personal Information Within the Guangdong–Hong Kong–Macao Greater Bay Area (Mainland, Hong Kong).

During the panel discussion, Ms Ines LEE, Senior Legal Counsel of the PCPD, shared with the other guest speakers her insights on the development and challenges of protecting personal data privacy, including the privacy risks brought by artificial intelligence.

- Ms Clemence Wong’s presentation deck (Data Privacy Laws) - https://www.pcpd.org.hk/english/whatsnew/files/PCPD_0907.pdf
- Ms Ines Lee’s presentation deck. (trends in global privacy landscape and AI model) - https://www.pcpd.org.hk/english/whatsnew/files/high_education_HKU.pdf

US telecom giant AT&T disclosed that hackers had stolen call records for tens of millions of its customers. In a surprising twist, the company paid a member of the hacking team more than $300,000 to delete the stolen data and provide proof of deletion. Hackers Exploited Poorly Secured Snowflake Accounts. The breach affected nearly all AT&T cellular customers and customers of other carriers who communicated with them between May and October 2022, and on January 2, 2023. Landline numbers were also impacted.

Despite AT&T’s payment to delete the stolen data, some customers may still be at risk as others might possess portions of the data. The incident highlights the growing threat of hackers exploiting vulnerabilities in cloud storage systems to steal sensitive information from major corporations.

Event completed. Presentation will be posted in DPO website ITS/DPO Training.

July 11 - HKU co-organized with PCPD for Higher Education community - https://hkuems1.hku.hk/hkuems/ec_hdetail.aspx?ueid=94510. Privacy principles will be highlighted and best practices and preventive measures in cybersecurity will be discussed.

14:15 - Reception

14:30 – 15:15 - Ms Clemence WONG, Acting Senior Counsel, PCPD
• Highlights of Data Privacy Laws
15:30 – 16:10 - Mr Arktos Lam, Cybersecurity Manager, HKIRC
• Cybersecurity in Higher Education
16:15 - 16:35 BREAK
16:35 – 17:15 - Panel Discussion (Addressing Future Challenges in Higher Education)
• Specifics about Cross Border Data Flow and Control (Ms. Chandy Ye, Director of Data Privacy Committee of HKCNSA)
• Trends in Privacy Regulations (Ms Ines Lee, Head of Legal Division, PCPD)

• Addressing Risks of AI & Cyber Threat Trends (Mr Arktos Lam, Cybersecurity Manager, HKIRC)

Posted since June 17

HKPF (CSTCB) - HKIRC - PCPD: "Ethical Phishing Email Campaign 2024"

The Cyber Security and Technology Crime Bureau of Hong Kong Police Force and the Hong Kong Internet Registration Corporation Limited co-organise “Ethical Phishing Email Campaign 2024” (the Campaign) to raise your staff awareness about suspicious emails and improving your organisation’s cyber security posture. The Campaign is supported by the Office of the Privacy Commissioner for Personal Data.

The Campaign will be conducted from August to September 2024, and participation will be free of charge. During the Campaign, your provided email addresses will receive several pseudo-phishing emails at irregular intervals to test your staff’s awareness.

Once the campaign concludes, each participating organisation will receive a comprehensive report on their employees’ performance in handling suspicious emails.

The Macau SAR has seen a recent uptick in identity theft and cybercrime, with an influx of sponsored ads popping up on social media platforms. The cyber attack followed a surge in fraudulent activities and other related crimes in the city. 

Cyber attack in Secretaries offices in Macau was started 8pm on July 10, resulted in the inactivity of several websites, including those of the Office of the Secretary for Security, Public Security Police Force, the Fire Services Bureau, the Public Security Forces Affairs Bureau of Macau and the Academy of Public Security Forces “due to a distributed denial-of-service (DDoS) attack from overseas.” The Judiciary Police have already begun investigations into the incident.

South China Morning Post (scmp.com) - Overseas cyberattack shuts down 5 Macau government websites for 45 minutes - https://www.scmp.com/news/article/3270048/overseas-cyberattack-shuts-down-5-macau-government-websites-45-minutes