Latest News

This workshop provides a practical approach to the compliance of requirements under the ​PDPO in direct marketing activities and provides hands-on solutions to problems that marketers face in devising direct marketing activities. Conviction cases will also be shared with the participants.

Date: 22 October 2025 (Wednesday)

Time: 2:15pm - 5:15pm

Language: Cantonese

Format: Face-to-face

Legal practitioners and compliance officers often find themselves in practical need of keeping abreast of the latest decisions and the legal arguments of the court and the Administrative Appeals Board in relation to data privacy. Hosted by a PCPD lawyer, this workshop will let you take a deep-dive into the crunch issues in those cases and the commonly deployed provisions of the Personal Data (Privacy) Ordinance.

Date: 15 October 2025 (Wed)
Time: 2:15pm – 5:15pm

Language: Cantonese

On October 1, 2025, a Telegram channel linked to the Crimson Collective shared evidence of a breach targeting Red Hat’s private repositories.

According to the threat actor, they exfiltrated around 570 GB of data (compressed), from more than 28,000 Red Hat repositories, including Customer Engagement Reports (CERs) – consulting documents known to contain configuration files, network architecture, and even authentication tokens. A total of 800+ customers may be impacted, include commercial giants like IBM, Citi, Siemens, Bosch, and Verizon and U.S. government agencies including the NSA, Department of Energy, NIST, and others.

China has been proactive in adopting legislation  and regulations around the use of AI, with several  national laws currently in place. Currently, the  laws, regulations, and policies governing AI in  China are specific to AI use cases.  

• Algorithmic Recommendation Management  Provisions [IN FORCE] 

• Interim Measures for the Management of  Generative AI Services [IN FORCE] 

• Deep Synthesis Management Provisions [IN FORCE] 

• AI guidelines and summary of regulations  [IN FORCE] 

• Scientific and Technological Ethics Regulation [IN FORCE] 

• Next Generation AI Development Plan [IN FORCE] 

China established an AI standards committee,  drawing members from industry, such as Baidu,  Alibaba and Tencent - https://www.scmp.com/tech/big-tech/article/3290745/baidu-alibaba-tencent-executives-among-big-tech-members-new-china-ai-standards-committee, dated Dec 14 2024.

2025 Awareness Week: Artificial Intelligence in Personal Data Protection & Cybersecurity

Oct 20-24, 11:00-17:00,  2/F Main Library

CyberGuard & AI Capture Booth

Oct 22, 14:00-16:45, Seminar Room 2, 4/F HKUMed Academic Building

Data Protection Seminar: Emerging Risks in Data Protection in Healthcare - Please RSVP

Oct 24, 10:30-16:30, 2/F DIL

Data Protection Seminar: AI in Personal Data Protection & Cybersecurity

10:30-11:30 Mandarin session conducted by ADCC

11:30-12:30 Mandarin session by UDS

14:30-15:30 Cantonese session by UDS

15:30-16:30 English session by UDS

• An IT breach has exposed 430,000 Harrods customer's details

• The data does not include payment information or passwords

• Harrods is not engaging with the hackers

Luxury department store Harrods has confirmed it has been contacted by criminals claiming to have stolen the records of over 430,000 customers in an IT breach. The company said this breach is unconnected to the string of attacks which hit British high street retailers, including Harrods itself, M&S, and Co-Op, earlier in 2025.

Oct 10 2025 meeting topics - DAR, Inventory, PIA, Mandatory Training

RSVP - https://hkuems1.hku.hk/hkuems/ec_hdetail.aspx?ueid=102793 

====================================

From: Athene Cheung <athenec@hku.hk>
Sent: Friday, September 5, 2025 4:51 PM

Subject: Empowering data privacy - Sep 25, 11:00am - DAR, Inventory, PIA, Info Protection, Training-HKUEMS Registration

=====================================

From: Athene Cheung <athenec@hku.hk>
Sent: Tuesday, August 19, 2025 5:56 PM
Subject: Empowering data privacy - Sep 25, 11:00am - DAR, Inventory, PIA, Info Protection, 

1. DAR process walkthrough, Target: DAR responsible staff members

2. Data Inventory & retention – PRIVACY MGT PROGRAM | Dataprotectionoffice (2.1) to be updated annually, by Dec 2025. Note: Ben will share access with each coordinator for update (fall back to do file update as last year). Pls let us know for change of contacts here if any - Data Protection Coordinators Area | Dataprotectionoffice

3. PIA – ongoing for new projects

4. Information Protection – for confidential and restricted data

5. Data Protection Training for ALL staff – to be completed by Dec 2025

6. Bi-Annual reminder - HKU System and Practices | Dataprotectionoffice-under 07 Bi-annual reminder of data protection

Other updates:

1. Workshops with individual department - please check Training Schedule | Dataprotectionoffice.

2. HKU fiscal year July 2024 to June 2025 Mandatory data protection training for New Hired Staff – please see below summary. I will reach out to each faculty and share the results. Please support completion.

Air travel across several major European hubs has been severely disrupted after what is being described as a cyber-attack on a key service provider responsible for check-in and boarding systems. 

The incident, which has impacted airports including London’s Heathrow, Brussels Airport, and Berlin Brandenburg Airport, has led to widespread delays, cancellations, and operational bottlenecks as authorities scramble to restore systems and return flights to schedule. Passenger queues stretched longer than usual, and airport staff struggled to accommodate the sudden operational shift. Flights that were already on tight turnaround schedules faced unavoidable delays, while some departures were canceled outright as airlines prioritized safety and logistical feasibility over punctuality.

Additional news for the incident - https://www.computerweekly.com/news/366631592/Cyber-attack-that-downed-airport-systems-confirmed-as-ransomware

Emergency calls were offline for nearly 14 hours, during which four people died – including an eight-week-old baby. A fourth person died during Optus’s network outage on Thursday, its CEO has confirmed. Stephen Rue said in a statement released on Saturday afternoon that the telco was “saddened to learn of a new fatality in Western Australia, which appears to have occurred during the outage period”.

https://www.dailymail.co.uk/news/article-15116821/amp/optus-ceo-stephen-rue-outage-three-dead.html

The investigation was launched after a data breach in May 2025 (impacted personal data of Dior’s customers - names, gender, phone, email, addresses, purchase, shopping preferences).

In September 2025, Dior's Shanghai subsidiary was penalized for PIPL violations

- unauthorized cross-border data transfers

- inadequate user consent practices

- insufficient technical security measures

PIPL cross border CBDT:

• Privacy Impact Assessments (PIAs);

• Standard Contractual Clauses (SCCs) with the CAC;

• "Sufficient Notice" & "Separate Consent" such as Employee privacy notices, consent letters;

• Data Processing Agreements (DPAs) for B2B data-sharing arrangements;

• Outward-facing privacy policies for B2C scenarios.

Other reference:

- https://www.rplawyers.com/china-fines-dior-reminder-for-firms-to-secure-cross-border-data/#:~:text=On%209%20September%202025%2C%20the,Article%2051%20of%20the%20PIPL)

- https://www.china-briefing.com/news/diors-pipl-violations-china-key-lessons/

Please have all full time staff members in your faculty, department or independent centre to complete mandatory data protection training by end 2025. Please click the single sign-on button on the page to get to the training platform - https://dpo.hku.hk/mandatory-dp-training.

The healthcare industry's rapid digital transformation, while unlocking incredible potential for patient care, has opened a new frontier of vulnerabilities. This critical seminar delves into the emerging risks that threaten the sanctity and security of sensitive health data. We will move beyond traditional IT concerns to explore the complex challenges posed by the proliferation of connected medical devices (IoMT), the adoption of AI and machine learning, sophisticated ransomware targeting critical care systems, and the immense difficulties of managing third-party vendor risk. Join us to gain essential insights into building a resilient, proactive security posture to protect patient trust and ensure compliance in an increasingly volatile landscape.

Date: Oct 22, 2025

Topic: Emerging risks in data protection and security in Healthcare

Venue: HKU Sassoon Seminar Room 2, 4/F 3 Sassoon Road

Language: English (or Cantonese depending on participation)

Face to Face & Online (Teams)

Time & proposed rundown. Please arrive before 2pm.

• 2:00 pm Reception

• 2:15 – 2:30pm opening by HKU CIO & University Librarian, Ms Flora Ng

Group Photo

• 2:45 – 3:30pm Speech by Dr. Joseph Ho, Union Hospital

• 3:30 – 4:15pm Speech by Dr. Summer Chan, Hospital Authority

• 4:15 – 4:45pm Q&A

Tea/drink gathering with speakers & senior management 5pm.

Target audience:

1. HKU LKS Faculty, departments & schools staff (mostly admin staff) & students

2. Faculty of Dentistry staff (mostly admin staff) & students

Please RSVP https://hkuems1.hku.hk/hkuems/ec_hdetail.aspx?UEID=103049

________________________________________________________________________________

Microsoft Teams Need help?

Join the meeting

https://teams.microsoft.com/dl/launcher/launcher.html?url=%2F_%23%2Fl%2Fmeetup-join%2F19%3Ameeting_YzMxNzY5MGMtN2ExNy00NTZmLWFkYjYtOWMzM2Y0N2M5NDVl%40thread.v2%2F0%3Fcontext%3D%257b%2522Tid%2522%253a%252242f9b54e-2477-41ba-bf09-7a0d2a83ff09%2522%252c%2522Oid%2522%253a%252205b220eb-c1d3-4911-a920-742639278ff9%2522%257d%26OR%3DOutlook%26anon%3Dtrue&type=meetup-join&deeplinkId=88710971-14bf-4574-8b2c-89d6a9896126&directDl=true&msLaunch=true&enableMobilePage=true&suppressPrompt=true

Meeting ID: 486 712 207 280 9

Passcode: tN7VN3rS

Two ethical hackers, known as BobDaHacker and BobTheShoplifter, recently revealed how easily they gained access to critical systems of Restaurant Brands International (RBI), the parent company of Burger King.

• Hard-coded passwords exposed Burger King’s fragile security infrastructure worldwide

• Hackers accessed employee accounts and internal configurations with shocking ease

• Plain-text passwords sent via email revealed careless cybersecurity practices

A quarter of a billion people, located in seven countries around the world, were at risk of identity theft, wire fraud, phishing, social engineering, and other forms of cybercrime due to a collection of misconfigured databases leaking all sorts of personal information.

• Security researchers at Cybernews found three servers holding a huge tranche of data on people in seven countries

• Names, ID numbers, and more, were being leaked to the public

• The archives are now locked down

The people are apparently from Turkey, Egypt, South Africa, Saudi Arabia, the United Arab Emirates, Mexico, and Canada, with those in the first three hit particularly badly, as they lost “full-spectrum” data.

Insightful read - 

M&S committed to compress two years of digital transformation into just six months.

Decision #1: Is Cybersecurity Treated as an IT Problem or a Business Imperative?

Decision #2: Is the Organization Investing in People or Just Perimeter Defenses?

Decision #3: Does the Organization Manage Vendor Risk or Just Hope for the Best?

Decision #4: Is the Organization Responding With Strategy?

Do Not Waste the Crisis

Google confirms data stolen in breach by known hacker group. Hackers used voice phishing to access Google’s internal Salesforce system and steal data.

The breach was carried out by ShinyHunters, a well-known cybercriminal group formally tracked as UNC6040. The group has recently been linked to a string of high-profile incidents involving companies such as AT&T, Ticketmaster, Allianz Life, and Pandora. In this case, the attackers targeted Google’s corporate Salesforce instance, a system the company uses to store contact information and notes about small and medium-sized businesses.

Cisco, Qantas, and Pandora have all reported similar breaches in recent months, which now appear to be part of a broader campaign targeting cloud-based customer relationship management tools.

人工智能（AI）的應用在日常生活中愈來愈普及。AI雖然為我們帶來便利，但同時亦衍生不少個人資料私隱風險，包括資料外洩、過量收集資料、未經同意使用個人資料，以及資料準確性等問題。不法之徒甚至利用AI深偽技術進行詐騙，令市民防不勝防。

為協助公眾了解如何在AI時代「自保」，應對AI時代的私隱新挑戰，個人資料私隱專員（私隱專員）鍾麗玲女士將主講是次講座，透過真實個案，深入淺出講解AI所帶來的私隱風險，並分享如何保障個人資料安全，私隱專員亦會就企業如何安全地使用AI提供建議及最佳行事常規。

歡迎對議題有興趣的公眾人士及機構參加。名額有限，先到先得。報名請按：

https://www.pcpd.org.hk/spec_event/spec_event94_apply_cn.php

• NASCAR files reports with state regulators confirming April 2025 attack

• The company is offering free credit monitoring for affected victims

NASCAR has confirmed it suffered a cyberattack and a data breach in April 2025 which saw personal information of racing fans allegedly stolen. 

In April 2025, the group added NASCAR to its data leak site and demanded $4 million in ransom. Ransomware operators known as Medusa had claimed responsibility several months ago.

The data breach was only related to Allianz Life according to the German parent company. Hackers have stolen personal information of 1.4 million customers in North America and selected Allianz Life employees using a social engineering technique as said by its parent company.

"On July 16, 2025, a malicious threat actor gained access to a third-party, cloud-based CRM system used by Allianz Life Insurance Company of North America (Allianz Life)," Allianz said in a statement to the BBC.T

Hong Kong's flagship carrier has apologised over a data breach that led to frequent flyer miles being stolen and personal information of about 1,000 members exposed.

Cathay Pacific on Thursday said it was alerted to "fraudulent activities" on some membership accounts that "led to unauthorised access to personal data and theft of Asia Miles".

Data accessed by unauthorised parties included personal particulars and travel details, according to the carrier, but no credit card information was exposed.