Scandals expose the vulnerability of Hong Kong’s cyber defences
Providing personal details is part of modern life, but we expect them to be secure. Instead, government departments are leaking like a sieve
Hong Kong has spent the last four years energetically tackling a wide range of perceived threats to national security. But one area in which more security is desperately needed is in the prevention of personal data leaks. The city has suffered a wave of serious hacking attacks and glaring data privacy breaches.
The latest scandal concerns the Companies Registry. The online database leaked personal details of 110,000 people, including names, passport and identity card numbers and residential addresses. Hong Kong’s privacy watchdog launched an investigation after the registry suspended online access on April 19. It is worrying for those affected, who are being warned to watch out for signs that their personal data is being abused, including checking their bank accounts for unauthorised transactions.
Clearly, the registry must swiftly review its systems, step up security measures and close any gaps in the portal’s defences.
The leak would be less of a concern if it was an isolated case. But this was the third time in a week a public body had hit the headlines because of a data security breach, following a string of similar cases in recent months.
Last week, the Office of the Privacy Commissioner for Personal Data announced it was investigating the leaking of the personal data of 17,000 residents collected by the Electrical and Mechanical Services Department during the pandemic in 2022. There had been a failure in the department’s password login system.
The watchdog also revealed the Consumer Council breached privacy rules when the personal information of more than 470 people was leaked in a cybersecurity attack. Hackers gained access to an administrator account in September and carried out malicious activities while trying to force the council to pay a US$500,000 ransom.
Meanwhile, Cyberport, the governmentfunded tech hub, has been ordered to make substantial improvements to its system and procedures after hackers gained access in August and stole the personal data of 13,000 staff and jobseekers. An investigation by the privacy watchdog found Cyberport to have “failed to implement sufficient and effective measures” to safeguard data security. It breached two privacy law principles by not keeping information secure and keeping data years after the period permitted by its policies.
The sorry list of the city’s data leaks also includes Hongkong Post, the Social Welfare Department, the Hong Kong Ballet and online market Carousell.
Hong Kong is not alone in facing the challenge of resisting increasingly sophisticated cyberattacks. There is a rising trend around the world, from phishing to ransomware. But the spate of scandals has exposed the shocking vulnerability of the city’s defences. Lessons have not been learned. There was a 50 per cent rise in reports of data breaches last year – 157 compared to 105 in 2022 – with 64 reports of hacking. The higher number of reports is likely to be partly due to increased awareness of the risks. But the danger is clear and present.
A study revealed in November that 73 per cent of companies polled had suffered cybersecurity attacks in the past year. Worryingly, the survey showed preparedness to have declined and staff awareness to be low.
The privacy watchdog has launched a thematic website which includes a selfassessment tool for businesses to test the adequacy of their data security measures. It has also set up a data security hotline. But much more needs to be done. Government departments are leaking like a sieve.
A comprehensive and concerted effort is required to get the city’s public and private sectors up to speed. Data must be securely stored, systems regularly reviewed and updated and staff adequately trained. More resources will be needed. Data users, meanwhile, need to be more aware of the risks when supplying personal details or allowing them to be accessed.
Providing our personal details is part of modern life. But we expect them to be held securely. The city’s personal data defences are clearly inadequate and in urgent need of strengthening.
The city’s personal data defences are clearly inadequate