HK urged to improve accountability after 2 more gov’t data breaches

The Hong Kong government should improve accountability and ensure computer security measures are put in place to protect citizens’ privacy, a lawmaker has said after two more departments reported data breach incidents last week.

Hong Kong lawmaker Elizabeth Quat meets the press on May 6, 2024. Photo: DAB.

It was “not ideal” that government departments and statutory bodies often “procrastinated” and reported data breach incidents to the Office of the Privacy Commissioner for Personal Data (PCPD) after “a certain period of time,” legislator Elizabeth Quat of the pro-Beijing DAB party said on Monday.

Citizens’ data at risk

The remarks from Quat, who chairs the Panel on Information Technology and Broadcasting at the legislature, came days after the Electrical and Mechanical Services Department (EMSD) and the Companies Registry reported last week that personal data stored on their servers had been compromised.

The EMSD said last Thursday that an online server platform, which stored data collected during the government’s Covid-19 restriction-testing declaration operations between March and July 2022, saw a password login system failure.

testing booths kwai chung covidtesting booths kwai chung covid
Government enforces “restriction-testing declaration” and compulsory testing notice in 2022. File photo: GovHK

The glitch was flagged by the privacy watchdog to the department last Tuesday. The system error allowed the names, telephone numbers, identity card numbers and addresses of around 17,000 people to be viewed on the server platform without entering any password, the EMSD said.

There was no evidence that the personal information had been published anywhere, the department said, adding it had reported the case to the police and would notify households affected.

Separately, the Companies Registry said last Friday that the design of its e-Services Portal by a contractor had resulted in the transmission of additional personal data to the client’s computer during searches.

Although the additional information was not displayed on the search result pages, it could be obtained with the use of a web developer tool. Some personal information could be also accessed using a search request issued by a computer programme, the Companies Registry said.

The Companies RegistryThe Companies Registry
The Companies Registry. File photo:

It was estimated that around 110,000 data subjects were affected, with their names, full passport numbers, identity card numbers, residential addresses, telephone numbers and email addresses at risk of being leaked.

Lack of awareness

Quat said on Monday that the recent data incidents reflected a lack of awareness of network security and the protection of personal privacy among staff members.

Instead of merely relying on guidelines issued by the Office of the Government Chief Information Officer (OGCIO), the government should require department heads to ensure sufficient security measures for its information technology systems, Quat said. Anyone responsible for negligence or a violation should be held accountable and disciplined accordingly, the legislator added.

government headquarters cgo central officesgovernment headquarters cgo central offices
Hong Kong government headquarters. File photo: GovHK.

“Asking the OGCIO to oversee 70 odd government departments and several hundreds of computer systems is unrealistic,” the lawmaker said in Cantonese.

The government should also include a privacy data assessment audit before releasing any information technology systems to ensure they do not release excessive data to the general public, the DAB legislator said.

Quat added that she hoped the new Digital Policy Office, which will merge the existing OGCIO and the Efficiency Office, could monitor cyber attack trends closely, issue warning notifications in a timely manner, and improve the government’s real-time response to information security threats.

Uptick in breaches

The privacy watchdog said it received more than 150 data breach notifications last year, marking a nearly 50 per cent increase compared to the previous year.

Last month, the city’s privacy watchdog found  “clear oversight” in a data leak involving technology park Cyberport. The government-owned tech hub was said to have infrequent security audits and unnecessary retention of personal data, which allowed its servers to be attacked by malicious ransomware last August.

Last September, the Consumer Council fell victim to hackers who launched a cyberattack that damaged about 80 per cent of the watchdog’s computer systems.

Support HKFP  |  Policies & Ethics  |  Error/typo?  |  Contact Us  |  Newsletter  | Transparency & Annual Report | Apps

Help safeguard press freedom & keep HKFP free for all readers by supporting our team

press freedom day hkfppress freedom day hkfp
contribute to hkfp methodscontribute to hkfp methods


Leave a Comment