Response to Media Enquiry or Report

Privacy Commissioner Responses to Media Enquiry on the Yahoo Data Breach

1. The Privacy Commissioner for Personal Data, Hong Kong (the “Privacy Commissioner”), Mr Stephen Kai-yi WONG, expresses deep concern regarding the Yahoo’s massive data breach confirmed late last week, which may include account information and personal data such as names, email addresses, telephone numbers, dates of birth, hashed passwords and the security questions and answers.  

2. As Hong Kong residents appear to be involved in this data breach incident, the Privacy Commissioner will continue to keep track of the development and where appropriate, will consider taking appropriate actions including seeking cooperation with overseas data protection authorities for follow-up actions pursuant to established international cooperation arrangements.

3. Meanwhile, the Privacy Commissioner urges the Yahoo users to change their account passwords and security questions and answers immediately, and also to avoid using the same or similar login information in other online accounts in order to protect their own personal data.

4. The Privacy Commissioner would also like to remind the Internet users to use computers and the Internet wisely as “data protection is in your hands”, and provides the following general tips on protecting their accounts and password information:

• Develop a method to update your passwords regularly;
• Do not use the same password for all accounts, particularly for those that contain sensitive personal data;
• Do not open online accounts with the same name and do not use the same email address for multiple account registrations;
• Use complex passwords, e.g. set those with at least eight characters long, with a mixture of numbers and letters, or follow the password policy as suggested by the website; and
• Do not reveal or provide your password to anyone including those who claim to represent the websites.

5. If a person suspects that his privacy rights relating to personal data are being encroached or abused, he should first raise his concern with the individuals / organisations that he suspects of abusing his personal information. If he is dissatisfied with their response, he can then lodge a complaint with the office of the Privacy Commissioner for Personal Data, Hong Kong (“PCPD”). Upon receipt of the complaints, the PCPD will take appropriate follow up action. If there is a prima facie case, the PCPD may initiate a formal investigation to decide if there is contravention of the Ordinance.

6. For those data users that control the collection, holding, processing or use of the personal data, they shall comply with the requirements under the Personal Data (Privacy) Ordinance (the “Ordinance”), including the six Data Protection Principles (DPPs), in particular the DPP4 (Data Security Principle), where data users need to take practical steps to safeguard personal data from unauthorised or accidental access, processing, erasure, loss or use.

The Privacy Commissioner issued the “Guidance for Data Users on the Collection and Use of Personal Data through the Internet” which offers advice to data users (both organisational and individual data users) on complying with the Ordinance while engaging in the collection, display or transmission of personal data through the Internet. The “Protecting Privacy – Using Computers and the Internet Wisely” was also issued to provide practical tips and advice to the members of the public on how individuals can protect their personal data when using information and communication technologies. Members of the public can also visit our website (www.PCPD.org.hk) to get more practical tips on protecting personal data.

(The above reply can be attributed to Mr Stephen Kai-yi Wong, the Privacy Commissioner for Personal Data, Hong Kong)