Hong Kong fire service reports potential leak of personal data of 5,000 staff, members of public

“There is no evidence that relevant data have been released.”

It offered “sincere apologies” over the incident.

The Office of the Government Chief Information Officer said on Sunday that it had asked all bureaus and departments to review their computer security and report back within a week following two other data incidents that involved the personal details of almost 130,000 people.

In the fire service case, the data included the surnames and telephone numbers of around 480 members of the public who had reported tree collapse incidents when Super Typhoon Saola struck on September 2 last year.

Data of people who reported fallen trees during Super Typhoon Saola was also at risk. Photo: Sam Tsang

Personal information of about 5,000 fire service staff, including names, telephone numbers, ranks and numbers, and their postings, was also at risk of leaks.

The department added that 960 incomplete identity card numbers of staff were also involved.

It said it had notified affected members of the public through messages or phone calls.

The outsourced contractor, whose name was not disclosed in the statement, was immediately stripped of access rights to the system. The department was also ordered to suspend the system operation and all of its contract jobs.

The department said it and the contractor were “conducting a comprehensive review of the incident and stepping up the protective measures to prevent similar incidents”.

The department said it had reported the incident to police, the Security Bureau, the Office of the Government Chief Information Officer and the Office of the Privacy Commissioner for Personal Data, the privacy watchdog.

Michael Gazeley, founder of Hong Kong cybersecurity firm Network Box, said the unauthorised change of access was “quite a disturbing comment”.

“Because in that case, if there was private data being handed over, then obviously that data should have been supervised,” he said. “If a contractor really did just change access rights, why was it not supervised?”

We just can’t allow this to carry on

Michael Gazeley, founder of cybersecurity firm Network Box

Despite there not being enough details provided so far for a firm comment on the cause of the incident, the cybersecurity expert said that with some foresight it should have been preventable.

Gazeley said there were several key factors in the recent spate of cybersecurity issues involving different government bodies and the private sector in the past few weeks.

“Some are apparently due to human error and lack of effective supervision; some are due to vulnerabilities in the victim’s cybersecurity systems; and some are due to third-party devices or software being added to an organisation’s networks without the needed security in place,” he said.

“We just can’t allow this to carry on.”

He said significant changes had to be made in how cyberattacks and also cybersecurity were handled.

The fire service case was the latest of a recent string of data security incidents at major public bodies

The Companies Registry said on Friday that personal information – including names, addresses, telephone numbers and email addresses, as well as identity card and passport numbers – of about 110,000 people had been leaked because of a fault in its digital platform.
A day earlier, the Electrical and Mechanical Services Department reported that information on 17,000 public housing tenants required to take Covid-19 tests in 2022, including their names, phone numbers, ID numbers and addresses, had been compromised.
On Thursday, the Office of the Privacy Commissioner for Personal Data also revealed that the Consumer Council breached privacy rules when the personal information of more than 470 people was leaked in a cybersecurity attack last September.


Leave a Comment