Skip to content

Response to Media Enquiry or Report

Response to Media Enquiry or Report

Date: 14 February 2019

Response to media enquiry on the selling of website users' data on Dark Web 

Thank you very much for your enquiry. Our response from the perspective of personal data privacy is as follows:
  • The Privacy Commissioner is aware of the relevant media reports, and will closely monitor the development and its impact on the personal data privacy of the members of the public.
  • If a person suspects that his privacy rights relating to personal data are being encroached or abused, he may complain to the office of the Privacy Commissioner for Personal Data, Hong Kong (PCPD). Upon receipt of the complaint, the PCPD will take appropriate follow-up action. If there is a prima facie case, the PCPD may initiate an investigation to decide if there is contravention of the Personal Data (Privacy) Ordinance.
  • As of noon today (14 February 2019), the PCPD did not receive any relevant complaints or enquiries, and no relevant data breach notifications from the said applications (i.e. MyFitnessPal, Dubsmash, Whitepages and CoffeeMeetsBagel) were reported to the PCPD.
  • The Privacy Commissioner reminds members of the public to stay vigilant - be cautious against any suspicious emails and avoid opening email attachments or clicking on email links from unfamiliar sources. If they suspect their passwords are leaked, they should immediately change the leaked passwords of all the accounts concerned to protect themselves. They should also handle their accounts and passwords safely:
    • Do not use the same password for all accounts, particularly for those that contain sensitive personal data;
    • Use complex passwords , with a mixture of numbers and letters;
    • Develop a method to change passwords regularly yet ensuring you remember them without having to write them down; and
    • Do not reveal or provide your passwords to anyone including those who claim to represent the websites.
  • Organisations should notify the affected users and, if applicable, ask the account holders to reset their passwords immediately once data breaches were detected. Organisations should also consider the following tips to prevent data breach:
    • Have clear and proper data protection policies and guidelines in place;
    • Develop proper password complexity and reset controls;
    • Encrypt data at rest and data in motion using the appropriate algorithm and protecting the passwords;
    • Develop formal security patch management;
    • Regularly search the server, Internet and website for inadvertent leakage of personal data;
    • Regularly check the website with vulnerability scanning/testing; and
    • Ensure secure erasure of personal data which is no longer needed.
Visit the PCPD’s Be SMART Online thematic website to get more practical tips on protecting online personal data privacy.