Latest News

A total of 127,268 individuals were  affected by the Incident, which included 100,185 ICARD members, 27,069 Brooks  Brothers members, and 14 current and former employees of ImagineX, etc. The personal  data affected included the names, email addresses, telephone numbers, birth months, genders, and nationalities of the members, as well as the passport copies of the employees etc. The incident: ImagineX received a ransom note from a threat actor on 15  May 2024.

https://www.pcpd.org.hk/english/enforcement/commissioners_findings/files/r25_09623_e.pdf

Deficiencies contributed to the Incident:

1. Failure to delete temporary account timely after system troubleshooting

2. Use of end-of-support operating system

3. Ineffective detective measures for information systems

4. Insufficient security risk reviews and audits for information systems

Queen's Colleage emailed staff, students and parents about cyberattack. The email explained that the school's eClass system was hacked and student's violation records were changed with addtion of fake punishments under different teachers' names. eClass is a school management platform in Hong Kong used by over 800 schools. It helps with tasks such as tracking student performance and managing teaching materials.

The school has promised to review it's cybersecurity and implement new measures to protect student data. The incident highlights the growing vulnerability of educational institutions to cyberattacks.

As evidence continues to pile up, security providers warn customers to secure networks as they wait for official guidance following claims of a massive attack against Oracle Cloud.

A threat actor last week claimed to have stolen 6 million data records, including user credentials, from Oracle Cloud, which could affect more than 140,000 customers. After initially releasing strong denials, Oracle has been silent this week, while security researchers have compiled evidence backing claims of an actual attack.

https://www.techradar.com/pro/security/oracle-denies-data-breach-after-hacker-claims-to-hold-six-million-records

https://www.darkreading.com/cyberattacks-data-breaches/oracle-still-denies-breach-researchers-persist

Oracle this week steadfastly continued to deny an alleged breach of its Oracle Cloud environment even as some security researchers doubled down on their analysis suggesting otherwise.

According to local media Jizhishe, Far East Consortium (00035.HK) was hacked into its system and a data leak occurred, involving about 250GB of data dated Mar 5. The PCPD replied and confirmed that it had received the company's notification of the incident last Monday (17th). Information included 「EmailBackup],「Proj-KT6607-Kai Tak 6607 Vo],「Password.xlsx],「Login ID&PW」etc.

Lingnan University on Mar 11 discovered a significant breach in one of its information systems, leading to the leakage of thousands of internal documents. The incident has compromised the sensitive personal information of faculty, students, and former course applicants. Approximately 200 of these documents contained critical data, including names, photographs, personal contact details, identification card information, and financial, educational, and employment-related information.

The university stated that they are also committed to enhancing their internal network security measures to prevent similar incidents in future.

The PCPD concluded its investigation on Mar 12 2025, attributing the breach to the use of common modules in the system’s design, which inadvertently included excessive data fields.

A total of 109,002 individuals may have been affected, including 108,575 company directors whose HKID card numbers, passport numbers, and residential addresses were exposed. The breach was reported by the Companies Registry on April 19, 2024, after it identified a risk of personal data leakage in the e-Search Services of its e-Services Portal, following a system revamp launched in late 2023.

Given several security measures during system's revamp and the lack of evidence of unauthorized access, the PCPD found insufficient grounds to conclude that the Companies Registry had failed to take all practicable steps to safeguard personal data thus they are cleared of privacy violations.

The cryptocurrency exchange Bybit (Dubai based) was hacked for more than $1.4 billion worth of Ethereum in what cybersecurity experts are calling the largest-ever theft targeting a cryptocurrency platform. 

In a livestream to address the incident on Friday, Bybit CEO Ben Zhou confirmed that 401,000 ETH coins had been stolen. He assured customers that other wallets had not been impacted and said the exchange had enough liquidity to honor withdrawals and to survive the incident. The DeFi platforms Ronin Network and Poly Network each lost more than $600 million in hacks.

https://podcasts.apple.com/hk/podcast/data-privacy-matters-%E6%95%B0%E6%8D%AE%E9%9A%90%E7%A7%81abc/id1783777444

个人信息保护合规审计管理办法将在2025年5月1日生效

本期邀请数据合规资深专家赵老师，一起聊聊该个保审计的落地，数据合规技术工具的选择，以及数据合规和业务平衡的艺术。

1:42 数据合规审计的落地

13:25 数据合规技术工具的选择

21:10 数据合规与业务的平衡

China mandatory PIPL compliance audit requirements will be effective from 1 May 2025.

We have invited our friend Laoshi Zhao, who is an experienced data compliance expert in the industry to share his insights about how to implement the new audit requirements in the MNC environment.

A massive cybersecurity breach has compromised over 35,000 websites, injecting malicious scripts that completely hijack users’ browser windows and redirect them to Chinese-language gambling platforms.

Security experts suggest this campaign may be connected to the Megalayer exploit, known for distributing Chinese-language malware.

Website owners are advised to audit their source code for unauthorized script tags, block the malicious domains through firewall rules, regularly check for unauthorized file modifications, implement Content Security Policy restrictions, and perform frequent site scans using tools like PublicWWW or URLScan to uncover malicious injections.

Orange intiated an investigation and is working to minimize the impact of the incident. According to the threat actor, who uses the alias Rey and is a member of the HellCat ransomware group, the stolen data is mostly from the Romanian branch of the company and includes 380,000 unique email addresses, source code, invoices, contracts, customer and employee information. 

Rey says that they stole almost 12,000 files totaling close to 6.5GB after compromising Orange’s systems by exploiting compromised credentials, and vulnerabilities in the company’s Jira software for bug/issue tracking, and internal portals.

PCPD Prof Training (Charged) - Mar 5 Court cases & AAB Decisions

(1) Major data privacy issues raised in recent decisions of the Hong Kong Court and the Administrative Appeals Board

(2) In-depth discussion and interpretation of key provisions of the Personal Data (Privacy) Ordinance.

(3) Familiarisation of recent decisions that can serve as legal authorities and practical examples for solving problems encountered in compliance work.

PCPD Prof Training (Charged) - Mar 17 Data Access Request

Practical guidance on issues relating to compliance with a Data Access Request ("DAR") raised by customers or employees

Scammers often commit fraud by swindling or embezzling your personal data, such as name, identity card number, phone number, email address, credit card number and security code, etc. Therefore, you must always be vigilant, especially when using smartphones and social media, to prevent scammers from obtaining your personal data.

PCPD and Anti-Deception Coordination Centre (ADCC) of the Commercial Crime Bureau of the Hong Kong Police Force will discuss the latest trends of scams, using real cases as examples.

Invest Hong Kong (InvestHK) announced today (February 23) that an information security incident was identified yesterday (February 22). The incident involved a malicious ransomware attack to part of InvestHK's computer systems. InvestHK reported the case to the Police, the Digital Policy Office (DPO), PCPD and the Security Bureau respectively on the same day. 

Preliminary findings indicated that the affected areas included an internal Customer Relationship Management (CRM) system, intranet and part of InvestHK's website operations, such as the function to contact InvestHK via the website form and events updates. InvestHK's public services remain normal. Members of the public can continue to contact staff of InvestHK through telephone, email or face-to-face meetings.

Berry, Dunn, McNeil & Parker, LLC (BerryDunn) has agreed to settle a class action lawsuit that alleged negligence for failing to prevent a data breach that affected more than 1.1 million individuals (personal & health info). The accounting and consultancy firm that provides services to several industries, including health data analytics services to healthcare providers, health insurers, and government regulatory and healthcare policy agencies. 

Legal action was taken by individuals affected by the data breach and the lawsuits were consolidated into a single suit – In re: Berry, Dunn, McNeil & Parker Data Security Incident Litigation, in the U.S. District Court for the District of Maine. BerryDunn chose to settle the lawsuit with no admission of wrongdoing and liability to avoid the risks and costs associated with continuing the litigation.

https://www.tannerdewitt.com/artificial-intelligence-regulatory-landscape-in-china-and-hong-kong/

https://digital-strategy.ec.europa.eu/en/policies/regulatory-framework-ai

https://www.mfa.gov.cn/eng/wjbzhd/202412/t20241218_11497479.html

HK AI regulation - adopted a context-based approach. Regulators (PCPD) have published regulations & guidelines within existing frameworks in the development, supply and use of AI systems in HK.

China GenAI Regulation - Released on Sep 14, 2024, by the Cyberspace Administration of China (CAC) aims to standardise the labelling of AI-generated content to safeguard public interests and protect the rights of citizens, organisations, and legal entities.

The European AI Office, established in Feb 2024 within the Commission, oversees the AI Act’s enforcement. The AI Act entered into force on 1 Aug 2024, and will be fully applicable 2 years later on 2 Aug 2026. It sets out a clear set of risk-based rules to measure guarantee safety, fundamental rights and human-centric AI, and strengthen uptake, investment and innovation in AI across the EU.  

Republished on February 8th with new analysis into Google’s tracking cookie replacement and implications for Chrome’s 3 billion users. 

While there’s no agreed end-date to tracking cookies, Google has teased a one-click solution for users to stop being tracked. Think of this as its equivalent to App Tracking Transparency deployed by Apple. Google doesn’t need tracking cookies itself. It almost certainly knows who you are because you hold one of its accounts.

Meta has confirmed that a zero-click, no-interaction required hacking attack has impacted users of the WhatsApp secure messaging platform. Meta has not confirmed where they were located geographically although it is believed they were from more than 20 countries. Those users were compromised by spyware from an Israel-based software company called Paragon Solutions. Meta has issued a cease and desist letter to Paragon and is exploring further legal avenues. Paragon, meanwhile, is yet to comment.

12 Feb, 2:15–5:15pm, Face-to-Face - Data Protection in Human Resource Management

26 Feb, 2:15–5:15pm, Online - Data Protection in Direct Marketing Activities

5 Mar, 2:15–5:15pm, Online - Recent Court & Admin Appeals Board Decisions

12 Mar, 2:15–5:15pm, Online - Data Protection in Banking/Financial Services

19 Mar, 2:15–5:15pm, Face-to-Face - Data Protection & DAR

12 Feb - Professional Workshop on Data Protection in Human Resource Mgt

Key take-aways:

• A thorough understanding of the requirements of the PDPO and the Code of Practice on Human Resource Management when handling employees’ personal data in the entire employment process from cradle to grave

• How to properly handle Data Access Requests

• How to tackle employees’ personal data privacy issues arising from COVID-19

Presentation in Chinese only.

Additional info: 

https://www.hkcert.org/f/report/912892/916161/2024Q3%20HK%20SecurityWatchReport%20(Chinese).pdf

https://www.infosec.gov.hk/tc/knowledge-centre/data-breach

Seven cassettes of tapes were lost during the transportation from the Immigration Tower to the Queensway Government Offices on December 23 2024 in accordance with the recovery and backup procedures. The incident has been reported to the relevant authorities, including the Hong Kong Police Force, the Office of the Privacy Commissioner for Personal Data, the Security Bureau and the Digital Policy Office. PCPD received a notification of the data breach incident on 24 January and had initiated an investigation into the incident in accordance with established procedures.