Hong Kong's Privacy Commissioner, Ada Chung Lai-ling, has announced an impending investigation into a recent data breach that exposed the personal details of 17,000 residents.
The "serious" data leak stemming from a flaw in a government department's password login system, involved sensitive information collected during COVID-19 containment efforts.
What Happened to the Hong Kong Data Leak
As South China Morning Post writes in its report, the compromised data includes names, telephone numbers, identity card numbers, and addresses of individuals involved in "restriction-testing declaration" operations conducted by the Electrical and Mechanical Services Department between March and July 2022. These operations were crucial during the pandemic, requiring residents to stay in their buildings until everyone was tested for the virus.
Speaking of which, a 2022 report from Tech Times said that Hong Kong's COVID-19 tracing app was flawed, indicating that personal data in the records might be compromised.
How the Hong Kong Privacy Watchdog Reacts
Following the breach, the Privacy Commissioner urged immediate action to inform all affected individuals, stressing the gravity of the leak given the large number of people involved. The breach primarily affected residents of 14 public housing blocks, including Yan Ching House in Kai Ching Estate, Oi Ming House in Yau Oi Estate, and Kwong Wai House in Kwong Fuk Estate.
The department acknowledged the incident shortly after the privacy watchdog was alerted by a public report claiming that data stored on a supposedly secured online server was accessible without any password protection.
"The Electrical and Mechanical Services Department immediately checked and found that the password login system had failed. The data could be browsed without entering any password but they were not downloadable. The [department] expresses its sincere apologies for the incident," it said, highlighting that the data had been removed.
No Evidence of Published Data
The department has reported the incident to the police, the Office of the Government Chief Information Officer, and the Security Bureau, highlighting the seriousness of the security lapse.
Despite the breach, the department reassured the public that there is currently no evidence to suggest that the exposed data has been published or misused elsewhere. They have committed to notifying all affected households and are taking steps to ensure such a breach does not happen again.
The investigation has just started for Hong Kong's authorities who are faced with the task of strengthening their data protection protocols to prevent future occurrences. This might be a hard battle for them but it's also a way to restore public trust in their handling of personal information.
In 2023, Hong Kong's Office of the Privacy Commissioner for Personal Data saw a nearly 50% increase in data breach notifications. The watchdog said that it accounted for more than 150 notifications, per Hong Kong Free Press.