Date: 13 September 2023
Response of the Privacy Commissioner’s Office
on the Cyberport’s Data Breach Incident
The Office of the Privacy Commissioner for Personal Data (PCPD) received a data breach notification from Cyberport on 18 August and has commenced a compliance check into the incident in accordance with established procedures. The PCPD has advised the relevant organisation to notify the affected data subjects as soon as possible, and is not in a position to disclose further information at this stage.
Having considered that the incident involved the leakage of personal data, the PCPD has set up a hotline for members of the public to make enquiries or complaints. The hotline number is 3423 6611 and the email address is communications@pcpd.org.hk. The PCPD appeals to the affected data subjects to make enquiries or complaints with the PCPD or the relevant organisation if they suspect that their personal data have been leaked. As of today (13 September), the PCPD has received 11 enquiries regarding the incident.
The PCPD calls on the affected data subjects to be vigilant about potential theft of their personal data and to take the following measures to protect personal data privacy:
-
Consider changing the passwords of online accounts and activate the multi-factor authentication function (if available);
-
Beware of any unusual logins of personal emails or accounts;
-
Review bank statements to spot any unauthorised transactions;
-
Stay vigilant when they receive any suspicious calls, text messages or emails from unknown sources, do not open attachments or disclose personal data arbitrarily; and
-
Be vigilant against phishing or other possible scams.
In parallel, the PCPD recommends organisations which handle personal data should adopt the following data security measures to safeguard data security and prevent malicious attacks on their information systems:
-
Adopt data governance and organisational measures: Organisations should establish clear internal policy and procedures on data governance and data security, including the appointment of a suitable personnel in a leadership role to bear specific responsibility for data security, and ensure sufficient training is provided for staff members;
-
Conduct regular risk assessments on data security for new systems and applications before launch, as well as regularly thereafter;
-
Implement a series of technical and operational security measures;
-
Properly manage data processors: A data user must adopt contractual or other means to prevent unauthorised or accidental access, processing, erasure, loss or use of the data transferred to the data processor;
-
Take timely remedial actions in the event of data security incidents, thereby reducing the gravity of harm that may be caused to the organisation and affected individuals; and
-
Regularly monitor, evaluate and improve compliance with data security policies.
For details, please download the “Guidance Note on Data Security Measures for Information and Communications Technology”:
https://www.pcpd.org.hk/english/resources_centre/publications/files/guidance_datasecurity_e.pdf
To assist organisations in preparing themselves in the event a data breach occurs, the PCPD has also issued the “Guidance on Data Breach Handling and Data Breach Notifications”, which contains practical recommendations to help organisations prepare data breach response plans and handle data breach incidents.
Please download the “Guidance on Data Breach Handling and Data Breach Notifications” from the website:
https://www.pcpd.org.hk/english/resources_centre/publications/files/guidance_note_dbn_e.pdf
-End-