Hong Kong urged to improve accountability after two more gov’t data breaches
Hong Kong Free Press
The Hong Kong government should improve accountability and ensure computer security measures are put in place to protect citizens’ privacy, a lawmaker has said after two more departments reported data breach incidents last week.
It was “not ideal” that government departments and statutory bodies often “procrastinated” and reported data breach incidents to the Office of the Privacy Commissioner for Personal Data (PCPD) after “a certain period of time,” legislator Elizabeth Quat of the pro-Beijing DAB party said on Monday.
Citizens’ data at risk
The remarks from Quat, who chairs the Panel on Information Technology and Broadcasting at the legislature, came days after the Electrical and Mechanical Services Department (EMSD) and the Companies Registry reported last week that personal data stored on their servers had been compromised.
The EMSD said last Thursday that an online server platform, which stored data collected during the government’s Covid-19 restriction-testing declaration operations between March and July 2022, saw a password login system failure.
The glitch was flagged by the privacy watchdog to the department last Tuesday. The system error allowed the names, telephone numbers, identity card numbers and addresses of around 17,000 people to be viewed on the server platform without entering any password, the EMSD said.
There was no evidence that the personal information had been published anywhere, the department said, adding it had reported the case to the police and would notify households affected.
Separately, the Companies Registry said last Friday that the design of its e-Services Portal by a contractor had resulted in the transmission of additional personal data to the client’s computer during searches.
Although the additional information was not displayed on the search result pages, it could be obtained with the use of a web developer tool. Some personal information could be also accessed using a search request issued by a computer programme, the Companies Registry said.
It was estimated that around 110,000 data subjects were affected, with their names, full passport numbers, identity card numbers, residential addresses, telephone numbers and email addresses at risk of being leaked.
Lack of awareness
Quat said on Monday that the recent data incidents reflected a lack of awareness of network security and the protection of personal privacy among staff members.
Instead of merely relying on guidelines issued by the Office of the Government Chief Information Officer (OGCIO), the government should require department heads to ensure sufficient security measures for its information technology systems, Quat said. Anyone responsible for negligence or a violation should be held accountable and disciplined accordingly, the legislator added.
“Asking the OGCIO to oversee 70 odd government departments and several hundreds of computer systems is unrealistic,” the lawmaker said in Cantonese.
The government should also include a privacy data assessment audit before releasing any information technology systems to ensure they do not release excessive data to the general public, the DAB legislator said.
Quat added that she hoped the new Digital Policy Office, which will merge the existing OGCIO and the Efficiency Office, could monitor cyber attack trends closely, issue warning notifications in a timely manner, and improve the government’s real-time response to information security threats.
Uptick in breaches
The privacy watchdog said it received more than 150 data breach notifications last year, marking a nearly 50 per cent increase compared to the previous year.
Last month, the city’s privacy watchdog found “clear oversight” in a data leak involving technology park Cyberport. The government-owned tech hub was said to have infrequent security audits and unnecessary retention of personal data, which allowed its servers to be attacked by malicious ransomware last August.
Last September, the Consumer Council fell victim to hackers who launched a cyberattack that damaged about 80 per cent of the watchdog’s computer systems.
Support HKFP | Policies & Ethics | Error/typo? | Contact Us | Newsletter | Transparency & Annual Report | Apps
Help safeguard press freedom & keep HKFP free for all readers by supporting our team
HKFP has an impartial stance, transparent funding, and balanced coverage guided by an Ethics Code and Corrections Policy.
Support press freedom & help us surpass 1,000 monthly Patrons: 100% independent, governed by an ethics code & not-for-profit.