Response to Media Enquiry or Report

Response to Media Enquiry on the Marriott International Data Breach Incident

• The office of the Privacy Commissioner for Personal Data (PCPD) received Data Breach Notification by the said hotel group yesterday. Privacy Commissioner for Personal Data (Privacy Commissioner) Stephen Kai-yi Wong has initiated a compliance check to gather the fact and further details on the incident including the cause of the data breach, number of affected persons, and evaluate proposed actions or actions taken etc. The PCPD would not be able to provide further information as the compliance check has just commenced and is still ongoing.

• The Privacy Commissioner stressed that all organisations are legally and ethically obliged to reasonably protect the personal data collected and to prevent such data from unauthorised access or loss, as such data belongs to the individual customers.

• The Privacy Commissioner stated that in view of the recent data breach incidents, with the Personal Data (Privacy) Ordinance (the Ordinance) enacted in 1995 and amended in 2012, the cyber security risk resulting from the growth of Big Data and advancement in ICT development is unprecedented and getting serious. The PCPD understands the public concern about data breach incidents and increasing expectation on personal data security. The PCPD hopes that there will be sufficient and strong support for the requisite reform of the law. Apart from law enforcement, organisations shall incorporate data governance, stewardship and ethics (namely respectful, beneficial and fair) as part of corporate governance and a long time solution for personal data protection.

• The Privacy Commissioner also suggested members of the public to change the passwords of relevant hotel accounts expeditiously, and should not use the same password for different accounts. Moreover, they should not open suspicious messages or emails, and should contact relevant hotels for verification in case of any doubts.