Hong Kong’s privacy watchdog ‘very disappointed’ at data breach involving 2.6 million Carousell users worldwide
Hong Kong Free Press
Hong Kong’s privacy watchdog has said it was “very disappointed” that online marketplace Carousell saw the leakage of personal data involving 2.6 million users worldwide, including more than 320,000 users in the city.
The personal data of 324,232 Carousell user accounts in Hong Kong was disclosed following a security breach that took place during a system migration in January 2022, Privacy Commissioner Ada Chung revealed in an investigation report on Thursday.
The information users supplied to the platform included email address, region and mobile phone number. Some also provided additional data such as name, gender and date of birth, and an image to be used as a profile photo.
The data breach did not include identification card numbers, passwords or credit card or payment information, Carousell told the watchdog.
The Singapore-based retail platform for buying and selling new and second-hand goods had failed to conduct a privacy impact assessment before the data transfer, while the company had no written guidelines for the code review process, the Office of the Privacy Commissioner for Personal Data (PCPD) said.
The privacy watchdog found that there was inadequate security assessment for the system migration, and the company failed to put in place effective measures for detecting unusual activities such as the extraction of users’ personal data from the system.
It was reasonable to expect Carousell – founded in 2012 and with extensive operations globally – to have sufficient resources for ensuring its information systems were robust, the PCPD report read. The data leakage concerning 2.6 million users worldwide could have been prevented had the company conducted normal risk and security assessment procedures, the watchdog concluded.
“[T]he Privacy Commissioner was very disappointed to note that the occurrence of the incident revealed fundamental failures by Carousell to ensure the security of the personal data held by the group…” the PCPD said.
The data breach was reported to the PCPD in October last year. It came after the company found a listing on an online forum which offered to sell the personal data of 2.6 million Carousell users. A probe was launched after the watchdog suspected that the leakage amounted to a violation of requirements stipulated in the Personal Data (Privacy) Ordinance.
The online marketplace is available in Singapore, Hong Kong, Malaysia, Indonesia, the Philippines and Taiwan, with tens of millions of monthly active users.
Carousell should conduct effective vulnerability assessments and provide employee training, the PCPD said, adding the company should formulate localised policies and procedures to ensure its operations were in compliance with Hong Kong’s privacy laws.
Support HKFP | Policies & Ethics | Error/typo? | Contact Us | Newsletter | Transparency & Annual Report | Apps
Help safeguard press freedom & keep HKFP free for all readers by supporting our team
HKFP has an impartial stance, transparent funding, and balanced coverage guided by an Ethics Code and Corrections Policy.
Support press freedom & help us surpass 1,000 monthly Patrons: 100% independent, governed by an ethics code & not-for-profit.