News
Cyber Security Breaches in Hong Kong: A Growing Trend and a Call to Action
Hong Kong is grappling with a surge in cyber security breaches, prompting the authority to take proactive measures. This article highlights the need for immediate action, urging organizations to bolster their data security practices to safeguard sensitive information and restore trust in the digital ecosystem.

INTRODUCTION
Hong Kong has witnessed a recent surge in cyber security breaches, with both private and public sectors falling prey to cyber attacks. According to the Office of the Privacy Commissioner for Personal Data (“PCPD”) in Hong Kong, there was a more than 20% increase in reported data breaches in the first half of 2023 compared to the second half of 2022. These breaches have had a profound impact on businesses and individuals, from disrupting business operations to compromising sensitive personal data including credit card details, login credentials, and more severely medical records. The consequences of these breaches extend beyond financial losses, affecting trust and reputation in the long run.
Acknowledging the magnitude and impact of these breaches, the PCPD has taken a more proactive approach to combat the issue. PCPD is actively investigating and reporting breaches of data privacy and issuing comprehensive guidelines to help organizations improve their data management and security practices. This article aims to shed light on the cyber security risks, recent enforcement actions taken by the PCPD, and the recommended measures to prevent data breaches.
PCPD INVESTIGATION – RANSOMWARE ATTACK
The Hong Kong Institute of Bankers (“HKIB”) experienced a data breach incident when six servers containing personal data (“Servers”) were attacked by ransomware and maliciously encrypted. The hacker threatened to upload the files in the Servers to the internet and demanded a ransom to unlock the encrypted files. Over 13,000 members and about 100,000 non-members were affected, with personal data including names, identity card numbers, and credit card numbers being compromised.
The PCPD initiated an investigation into the incident, reviewing the security measures implemented by HKIB and the actions taken following the breach. The PCPD’s investigation report found that there were three apparent deficiencies in risk awareness about data security and in the personal data security measures of HKIB:
- Inadequacies in Management of Data Security – HKIB did not stipulate any risk management mechanism for data security and did not request service providers to act in accordance with such a mechanism. This reflected a lack of effective monitoring of the data security measures of its service providers, thus allowing the hacker to successfully intrude into the system and encrypt the Servers.
- Deficiencies in Information System Management – The PCPD investigated the security measures of HKIB’s information system, such as the regular penetration test, antivirus software, data loss prevention system etc., and considered that the personal data security management was unsatisfactory. HKIB lacked stringent measures to regulate staff behaviour and review system settings timely so that the security of the information system was ineffective in addressing risks and threats.
- Prolonged Implementation of Multi-factor Authentication – HKIB’s firewall manufacturer discovered the potential risk where attackers could bypass security restrictions and recommended HKIB to enable multi-factor authentication. However, HKIB did not adopt such recommendation which led to the eventual ransomware attack.
For the reasons above, the PCPD concluded that HKIB had not taken all practicable steps to ensure that the personal data was properly protected, thereby contravening DPP 4(1) concerning the security of personal data.
HKIB was served an Enforcement Notice to take remedial actions and prevent recurrence of the contravention, including engaging an independent data security expert to conduct thorough reviews of HKIB’s system security, revising system security policy to require regular vulnerability scans and specifying patch management requirements etc. HKIB was also required to provide documentary proof within two months showing compliance with the Enforcement Notice.
The PCPD has further provided some recommendations to organisations that handle personal data with the use of information and communication technology. These include staying vigilant against hacker attacks, establishing a personal data privacy management program, appointing a dedicated data protection officer, enhancing information system management, conducting data backups conscientiously, and properly monitoring service providers.
The investigation emphasizes that a robust data security system is crucial for good data governance, and highlights the importance of timely patch management and the need for organizations to comply with data security requirements.
GUIDANCE ON DATA BREACH HANDLING
In response to the rising tide of cyber security breaches, the Commissioner recently revised the “Guidance on Data Breach Handling and Data Breach Notifications” (“Guidance”) in June 2023. It provides organizations with a thorough understanding of what constitutes a data breach and lays out a clear action plan to follow when one occurs.
The Guidance recommends that a comprehensive data breach response plan should outline the procedures to be followed when a data breach occurs and formulate strategies to handle the incident. The plan is recommended to cover a description of what constitutes a data breach, an internal incident notification procedure, designation of the rules and responsibilities of members of the breach response team and their contact details, a risk assessment workflow, a containment strategy, a communication plan, an investigation procedure, a record-keeping policy, a post-incident review mechanism, and a training or drill plan.
Upon the occurrence of a data breach, data users are recommended to take the following key steps: (1) identifying and verifying the breach; (2) containing the breach and taking steps to minimize damage; (3) assessing the risks associated with the breach; (4) reporting the breach to the PCPD and the affected individuals, if necessary; and (5) reviewing the incident and implementing measures to prevent future breaches.
While data breach notifications in Hong Kong is not mandatory under the current legislative regime, the PCPD highly encourage data users to give such notifications timely to the affected data subjects, PCPD, law enforcement agencies and other relevant parties when a data breach has occurred. This will allow appropriate measures to be taken to mitigate any potential harm or damage and to demonstrate the data users’ commitment to data privacy.
Previously, a data user wishing to make a data breach notification would need to submit a paper form to PCPD. To facilitate reporting and handling of data breaches, the PCPD has launched an e-Data Breach Notification Form. This digital tool enables organizations to grasp the details of data breach incidents more comprehensively and effectively and report data breach incidents to the Commissioner in a more convenient manner. The key information required to complete the form includes basic information about the data user, particulars of the breach, and an assessment of the breach and remedial actions taken. Pinsent Masons Hong Kong can help with notifications to the PCPD.
CONCLUSION AND TAKEAWAYS
As cyber threats continue to evolve and grow, it is more crucial than ever for organizations to stay ahead of potential security breaches. The PCPD's proactive stance – investigating breaches, issuing enforcement actions, and providing practical guidance goes towards fostering a safer data environment in Hong Kong.
To protect your company from cyber threats, corporations should regularly review their processes, stay alert to potential data breaches and invest in robust data security infrastructures, and follow the PCPD's guidance on data breach handling and notifications. Care needs to be taken in assessing whether to promptly report incidents to the regulator or individual. Companies can minimise the risks and impact of data breaches and maintain the trust and confidence of their customers when handled appropriately.
Article provided by INPLP member: Jennifer Wu (Pinsent Masons LLP, Hong Kong)
Discover more about the INPLP and the INPLP-Members
Dr. Tobias Höllwarth (Managing Director INPLP)
News Archiv
- Alle zeigen
- Jänner 2025
- Dezember 2024
- November 2024
- Oktober 2024
- September 2024
- August 2024
- Juli 2024
- Juni 2024
- Mai 2024
- April 2024
- März 2024
- Februar 2024
- Jänner 2024
- Dezember 2023
- November 2023
- Oktober 2023
- September 2023
- August 2023
- Juli 2023
- Juni 2023
- Mai 2023
- April 2023
- März 2023
- Februar 2023
- Jänner 2023
- Dezember 2022
- November 2022
- Oktober 2022
- September 2022
- August 2022
- Juli 2022
- Mai 2022
- April 2022
- März 2022
- Februar 2022
- November 2021
- September 2021
- Juli 2021
- Mai 2021
- April 2021
- Dezember 2020
- November 2020
- Oktober 2020
- Juni 2020
- März 2020
- Dezember 2019
- Oktober 2019
- September 2019
- August 2019
- Juli 2019
- Juni 2019
- Mai 2019
- April 2019
- März 2019
- Februar 2019
- Jänner 2019
- Dezember 2018
- November 2018
- Oktober 2018
- September 2018
- August 2018
- Juli 2018
- Juni 2018
- Mai 2018
- April 2018
- März 2018
- Februar 2018
- Dezember 2017
- November 2017
- Oktober 2017
- September 2017
- August 2017
- Juli 2017
- Juni 2017
- Mai 2017
- April 2017
- März 2017
- Februar 2017
- November 2016
- Oktober 2016
- September 2016
- Juli 2016
- Juni 2016
- Mai 2016
- April 2016
- März 2016
- Februar 2016
- Jänner 2016
- Dezember 2015
- November 2015
- Oktober 2015
- September 2015
- August 2015
- Juli 2015
- Juni 2015
- Mai 2015
- April 2015
- März 2015
- Februar 2015
- Jänner 2015
- Dezember 2014
- November 2014
- Oktober 2014
- September 2014
- August 2014
- Juli 2014
- Juni 2014
- Mai 2014
- April 2014
- März 2014
- Februar 2014
- Jänner 2014
- Dezember 2013
- November 2013
- Oktober 2013
- September 2013
- August 2013
- Juli 2013
- Juni 2013
- Mai 2013
- April 2013
- März 2013
- Februar 2013
- Jänner 2013
- Dezember 2012
- November 2012
- Oktober 2012
- September 2012
- August 2012
- Juli 2012
- Juni 2012
- Mai 2012
- April 2012
- März 2012
- Februar 2012
- Jänner 2012
- Dezember 2011
- November 2011
- Oktober 2011
- September 2011
- Juli 2011
- Juni 2011
- Mai 2011
- April 2011
- März 2011
- Februar 2011
- Jänner 2011
- November 2010
- Oktober 2010
- September 2010
- Juli 2010