• 11/26/2024

Hong Kong’s privacy watchdog ‘very disappointed’ at data breach involving 2.6 million Carousell users worldwide

Hong Kong Free Press

Carousell data breach

Hong Kong’s privacy watchdog has said it was “very disappointed” that online marketplace Carousell saw the leakage of personal data involving 2.6 million users worldwide, including more than 320,000 users in the city.

The personal data of 324,232 Carousell user accounts in Hong Kong was disclosed following a security breach that took place during a system migration in January 2022, Privacy Commissioner Ada Chung revealed in an investigation report on Thursday.

The mobile application of online marketplace Carousell. Photo: Kelly Ho/HKFP.
The mobile application of online marketplace Carousell. Photo: Kelly Ho/HKFP.

The information users supplied to the platform included email address, region and mobile phone number. Some also provided additional data such as name, gender and date of birth, and an image to be used as a profile photo.

The data breach did not include identification card numbers, passwords or credit card or payment information, Carousell told the watchdog.

The Singapore-based retail platform for buying and selling new and second-hand goods had failed to conduct a privacy impact assessment before the data transfer, while the company had no written guidelines for the code review process, the Office of the Privacy Commissioner for Personal Data (PCPD) said.

The privacy watchdog found that there was inadequate security assessment for the system migration, and the company failed to put in place effective measures for detecting unusual activities such as the extraction of users’ personal data from the system.

Privacy Commissioner Ada Chung meets the press on December 21, 2022. Photo: Office of the Privacy Commissioner for Personal Data.
Privacy Commissioner Ada Chung meets the press on December 21, 2022. Photo: Office of the Privacy Commissioner for Personal Data.

It was reasonable to expect Carousell – founded in 2012 and with extensive operations globally – to have sufficient resources for ensuring its information systems were robust, the PCPD report read. The data leakage concerning 2.6 million users worldwide could have been prevented had the company conducted normal risk and security assessment procedures, the watchdog concluded.

“[T]he Privacy Commissioner was very disappointed to note that the occurrence of the incident revealed fundamental failures by Carousell to ensure the security of the personal data held by the group…” the PCPD said.

The data breach was reported to the PCPD in October last year. It came after the company found a listing on an online forum which offered to sell the personal data of 2.6 million Carousell users. A probe was launched after the watchdog suspected that the leakage amounted to a violation of requirements stipulated in the Personal Data (Privacy) Ordinance.

The online marketplace is available in Singapore, Hong Kong, Malaysia, Indonesia, the Philippines and Taiwan, with tens of millions of monthly active users.

Carousell should conduct effective vulnerability assessments and provide employee training, the PCPD said, adding the company should formulate localised policies and procedures to ensure its operations were in compliance with Hong Kong’s privacy laws.

Support HKFP  |  Policies & Ethics  |  Error/typo?  |  Contact Us  |  Newsletter  | Transparency & Annual Report | Apps

TRUST PROJECT HKFP
SOPA HKFP
IPI HKFP

Help safeguard press freedom & keep HKFP free for all readers by supporting our team

contribute to hkfp methods
tote bag support

Support press freedom & help us surpass 1,000 monthly Patrons: 100% independent, governed by an ethics code & not-for-profit.

https://hongkongfp.com/2023/12/22/hong-kongs-privacy-watchdog-very-disappointed-at-data-breach-involving-2-6-million-carousell-users-worldwide/