Media Statements
Media Statement - Privacy Commissioners Office Reports on its Work in 2022 and Publishes an Investigation Report
Date: 9 February 2023
Privacy Commissioner’s Office Reports on its Work in 2022 and Publishes an Investigation Report
The Office of the Privacy Commissioner for Personal Data (PCPD) reported on its work in 2022 and released an investigation report into a data breach incident relating to The Hong Kong Institute of Bankers today (9 February).
1. Complaint Cases
In 2022, the PCPD received 3,848 complaints, which represented an increase of 15% when compared to 3,354 cases in 2021. This was mainly attributable to an increase in doxxing complaints following the implementation of the new anti-doxxing regime introduced by the Personal Data (Privacy) Amendment Ordinance 2021 in late 2021. Of these complaint cases, 95% involved complaints against private organisations or individuals (3,656 cases), while the remaining 5% were against public organisations or government departments.
2. Enquiries
The PCPD received a total of 14,929 public enquiries in 2022. The figure dropped by 15% when compared to 17,651 cases in 2021. On average, over 1,200 public enquiries were handled per month.
In view of the rising trend of scams involving personal data fraud perpetrated through telephone calls, emails or SMS messages, the PCPD set up a “Personal Data Fraud Prevention Hotline” 3423 6611 in September 2022 to handle enquiries or complaints from members of the public in relation to suspected data fraud cases, and the Hotline received 168 calls by the end of December. For 2022, the PCPD received 707 enquiries relating to personal data frauds, which represented a 26% increase when compared to 557 enquiries for 2021.
3. Data Breach Incidents
In 2022, the PCPD received 105 data breach notifications, with 41 from the public sector and 64 from the private sector. The data breach incidents involved hacking, loss of documents or portable devices, inadvertent disclosure of personal data by fax, email or post, employee misconduct and system misconfiguration, etc.
The PCPD initiated 392 compliance checks in 2022, representing a 4% increase as compared to 377 compliance checks in 2021.
4. The New Anti-Doxxing Regime under the Personal Data (Privacy) Ordinance (PDPO)
The new provisions criminalising doxxing acts under the PDPO came into effect on 8 October 2021. The amendments empower the Privacy Commissioner for Personal Data (Privacy Commissioner) to carry out criminal investigations, institute prosecutions for doxxing-related offences, and issue cessation notices to stop disclosure of doxxing messages.
Law Enforcement
From the implementation of the relevant provisions to 31 December 2022, the PCPD handled a total of 2,128 doxxing cases and initiated 114 criminal investigations. 32 cases were referred to the Police for further follow-up actions.
As to arrest operations, the PCPD has mounted a total of 12 arrest operations by 31 December 2022, including one in 2021 and 11 in 2022 (with one arrest made as a joint operation with the Police). A total of 12 suspects were arrested. The nature of disputes leading to the doxxing acts are monetary dispute (50%), work dispute (25%) and relationship dispute (17%). The means used by the doxxers are social media platforms and instant messaging apps (92%), as well as posters (8%).
As of 31 December 2022, five of the arrested persons have been charged. Two of them were convicted with one sentenced, who was sentenced to eight months’ imprisonment. The PCPD welcomes the court’s decision and believes the aforesaid sentence has deterrent effect on doxxing acts. Other prosecuted cases are still undergoing judicial process.
Cessation Notice
Between October 2021 (when the relevant provisions came into operation) and 31 December 2022, the PCPD issued a total of 1,500 cessation notices to 26 online platforms, requesting removal of 17,703 doxxing messages, with a compliance rate of over 90%.
5. Investigation Report on The Hong Kong Institute of Bankers
On completion of its investigation into a data breach incident relating to The Hong Kong Institute of Bankers (HKIB), the PCPD published an investigation report today (9 February). The investigation arose from a data breach notification lodged by HKIB reporting that six servers which contained personal data had been attacked by ransomware and maliciously encrypted, and that a hacker had threatened to upload the files in the servers to the internet and demanded a ransom from HKIB to unlock the encrypted files. The personal data of over 13,000 members and about 100,000 non-members had been leaked in the incident.
From the evidence collected in the investigation, the Privacy Commissioner, Ms Ada CHUNG Lai-ling, found that there were deficiencies in HKIB’s awareness of data security risks and in its personal data security measures, namely:-
In this case, the Privacy Commissioner found that there were apparent deficiencies in the data security risk management and the personal data security measures of HKIB, which led to the ransomware attack on its servers which contained personal data. The Privacy Commissioner considered that HKIB lacked effective data security risk management mechanism and adopted a lax approach towards service providers in the maintenance of critical network infrastructure. As a result, the security measures of the information system which contained personal data were ineffective in addressing cybersecurity risks and threats. The Privacy Commissioner considered, upon conclusion of the investigation, that HKIB had not taken all practicable steps to ensure that the personal data involved was protected from unauthorised or accidental access, processing, erasure, loss or use, thereby contravening Data Protection Principle 4(1) concerning the security of personal data under the PDPO. The Privacy Commissioner has served an enforcement notice on HKIB, directing it to remedy and prevent recurrence of the contravention.
Through the report, the Privacy Commissioner would like to make the following recommendations to organisations that handle personal data using information and communications technology:
Download the Investigation Report “Ransomware Attack on the Servers of The Hong Kong Institute of Bankers”:
https://www.pcpd.org.hk/english/enforcement/commissioners_findings/files/r23_6319_e.pdf
6. Leaflet on Data Security
In 2022, the PCPD received from organisations a total of 105 data breach notifications, more than a quarter of which involved hacking. The number of Hong Kong citizens affected by data breach incidents also soared from around 600,000 in 2021 to more than one million in 2022. In view of this, the PCPD published today (9 February) a leaflet to introduce the “Guidance Note on Data Security Measures for Information and Communications Technology”, with a view to highlighting the key points of recommended data security measures.
The leaflet covers the seven key areas of data security measures as recommended in the Guidance:
Download “Guidance”:
https://www.pcpd.org.hk/english/resources_centre/publications/files/guidance_datasecurity_e.pdf
Download leaflet on “Guidance”:
https://www.pcpd.org.hk/english/resources_centre/publications/files/data_security_measures_leaflet_e.pdf
The Privacy Commissioner, Ms Ada CHUNG Lai-ling, elaborated on the PCPD’s work in 2022.
Acting Chief Personal Data Officer (Compliance & Enquiries), Mr Brad KWOK Ching-hei, introduced the investigation report on The Hong Kong Institute of Bankers.
1. Complaint Cases
In 2022, the PCPD received 3,848 complaints, which represented an increase of 15% when compared to 3,354 cases in 2021. This was mainly attributable to an increase in doxxing complaints following the implementation of the new anti-doxxing regime introduced by the Personal Data (Privacy) Amendment Ordinance 2021 in late 2021. Of these complaint cases, 95% involved complaints against private organisations or individuals (3,656 cases), while the remaining 5% were against public organisations or government departments.
2. Enquiries
The PCPD received a total of 14,929 public enquiries in 2022. The figure dropped by 15% when compared to 17,651 cases in 2021. On average, over 1,200 public enquiries were handled per month.
In view of the rising trend of scams involving personal data fraud perpetrated through telephone calls, emails or SMS messages, the PCPD set up a “Personal Data Fraud Prevention Hotline” 3423 6611 in September 2022 to handle enquiries or complaints from members of the public in relation to suspected data fraud cases, and the Hotline received 168 calls by the end of December. For 2022, the PCPD received 707 enquiries relating to personal data frauds, which represented a 26% increase when compared to 557 enquiries for 2021.
3. Data Breach Incidents
In 2022, the PCPD received 105 data breach notifications, with 41 from the public sector and 64 from the private sector. The data breach incidents involved hacking, loss of documents or portable devices, inadvertent disclosure of personal data by fax, email or post, employee misconduct and system misconfiguration, etc.
The PCPD initiated 392 compliance checks in 2022, representing a 4% increase as compared to 377 compliance checks in 2021.
4. The New Anti-Doxxing Regime under the Personal Data (Privacy) Ordinance (PDPO)
The new provisions criminalising doxxing acts under the PDPO came into effect on 8 October 2021. The amendments empower the Privacy Commissioner for Personal Data (Privacy Commissioner) to carry out criminal investigations, institute prosecutions for doxxing-related offences, and issue cessation notices to stop disclosure of doxxing messages.
Law Enforcement
From the implementation of the relevant provisions to 31 December 2022, the PCPD handled a total of 2,128 doxxing cases and initiated 114 criminal investigations. 32 cases were referred to the Police for further follow-up actions.
As to arrest operations, the PCPD has mounted a total of 12 arrest operations by 31 December 2022, including one in 2021 and 11 in 2022 (with one arrest made as a joint operation with the Police). A total of 12 suspects were arrested. The nature of disputes leading to the doxxing acts are monetary dispute (50%), work dispute (25%) and relationship dispute (17%). The means used by the doxxers are social media platforms and instant messaging apps (92%), as well as posters (8%).
As of 31 December 2022, five of the arrested persons have been charged. Two of them were convicted with one sentenced, who was sentenced to eight months’ imprisonment. The PCPD welcomes the court’s decision and believes the aforesaid sentence has deterrent effect on doxxing acts. Other prosecuted cases are still undergoing judicial process.
Cessation Notice
Between October 2021 (when the relevant provisions came into operation) and 31 December 2022, the PCPD issued a total of 1,500 cessation notices to 26 online platforms, requesting removal of 17,703 doxxing messages, with a compliance rate of over 90%.
5. Investigation Report on The Hong Kong Institute of Bankers
On completion of its investigation into a data breach incident relating to The Hong Kong Institute of Bankers (HKIB), the PCPD published an investigation report today (9 February). The investigation arose from a data breach notification lodged by HKIB reporting that six servers which contained personal data had been attacked by ransomware and maliciously encrypted, and that a hacker had threatened to upload the files in the servers to the internet and demanded a ransom from HKIB to unlock the encrypted files. The personal data of over 13,000 members and about 100,000 non-members had been leaked in the incident.
From the evidence collected in the investigation, the Privacy Commissioner, Ms Ada CHUNG Lai-ling, found that there were deficiencies in HKIB’s awareness of data security risks and in its personal data security measures, namely:-
- Inadequacies in the management of data security risk;
- Deficiencies in information system management; and
- Prolonged implementation of multi-factor authentication.
In this case, the Privacy Commissioner found that there were apparent deficiencies in the data security risk management and the personal data security measures of HKIB, which led to the ransomware attack on its servers which contained personal data. The Privacy Commissioner considered that HKIB lacked effective data security risk management mechanism and adopted a lax approach towards service providers in the maintenance of critical network infrastructure. As a result, the security measures of the information system which contained personal data were ineffective in addressing cybersecurity risks and threats. The Privacy Commissioner considered, upon conclusion of the investigation, that HKIB had not taken all practicable steps to ensure that the personal data involved was protected from unauthorised or accidental access, processing, erasure, loss or use, thereby contravening Data Protection Principle 4(1) concerning the security of personal data under the PDPO. The Privacy Commissioner has served an enforcement notice on HKIB, directing it to remedy and prevent recurrence of the contravention.
Through the report, the Privacy Commissioner would like to make the following recommendations to organisations that handle personal data using information and communications technology:
- Stay vigilant to prevent hacker attacks by conducting regular risk assessments;
- Establish a Personal Data Privacy Management Programme to use and retain personal data in compliance with the PDPO, and to effectively manage the entire lifecycle of personal data;
- Appoint a dedicated officer as Data Protection Officer;
- Enhance information system management, including developing effective patch management procedures to patch vulnerabilities as early as possible;
- Conduct data backup conscientiously, including formulating a data backup policy and conducting regular backup for systems containing important data; and
- Monitor service providers appropriately.
Download the Investigation Report “Ransomware Attack on the Servers of The Hong Kong Institute of Bankers”:
https://www.pcpd.org.hk/english/enforcement/commissioners_findings/files/r23_6319_e.pdf
6. Leaflet on Data Security
In 2022, the PCPD received from organisations a total of 105 data breach notifications, more than a quarter of which involved hacking. The number of Hong Kong citizens affected by data breach incidents also soared from around 600,000 in 2021 to more than one million in 2022. In view of this, the PCPD published today (9 February) a leaflet to introduce the “Guidance Note on Data Security Measures for Information and Communications Technology”, with a view to highlighting the key points of recommended data security measures.
The leaflet covers the seven key areas of data security measures as recommended in the Guidance:
- Data Governance and Organisational Measures;
- Risk Assessments;
- A Recommended Series of Technical and Operational Security Measures;
- Data Processor Management;
- Remedial Actions in the Event of Data Security Incidents;
- Regularly Monitoring, Evaluating and Improving compliance with data security policies; and
- Data Security Measures for Cloud Services, “Bring Your Own Devices” and Portable Storage Devices.
Download “Guidance”:
https://www.pcpd.org.hk/english/resources_centre/publications/files/guidance_datasecurity_e.pdf
Download leaflet on “Guidance”:
https://www.pcpd.org.hk/english/resources_centre/publications/files/data_security_measures_leaflet_e.pdf
The Privacy Commissioner, Ms Ada CHUNG Lai-ling, elaborated on the PCPD’s work in 2022.
Acting Chief Personal Data Officer (Compliance & Enquiries), Mr Brad KWOK Ching-hei, introduced the investigation report on The Hong Kong Institute of Bankers.
-End-