Date: 21 September 2023
Privacy Commissioner’s Office’s Response
to Media Enquiries on Data Breach Incident of Consumer Council
In response to media enquiries, the Office of the Privacy Commissioner for Personal Data (PCPD) confirmed that it had received a data breach notification from the Consumer Council today (21 September) and has commenced a compliance check into the incident in accordance with established procedures. The PCPD has also advised the relevant organisation to notify the affected data subjects as soon as possible.
Having considered that the incident may involve the leakage of personal data, the PCPD appeals to the possibly affected data subjects to be vigilant about potential theft of their personal data. If they are in doubt about whether their personal data have been leaked, they may make enquiries with the relevant organisation or the PCPD (telephone: 2827 2827 or email: communications@pcpd.org.hk). To protect personal data privacy, affected data subjects are advised to take the following measures:
-
Consider changing the passwords of online accounts and activate the multi-factor authentication function (if available);
-
Beware of any unusual logins of personal emails or accounts;
-
Review bank statements to spot any unauthorised transactions;
-
Stay vigilant when they receive any suspicious calls, text messages or emails from unknown sources, do not open attachments or disclose personal data arbitrarily; and
-
Be vigilant against phishing or other possible scams.
In parallel, the PCPD recommends organisations which handle personal data should adopt the following data security measures to safeguard data security and prevent malicious attacks on their information systems:
-
Adopt data governance and organisational measures: Organisations should establish clear internal policy and procedures on data governance and data security, including the appointment of a suitable personnel in a leadership role to bear specific responsibility for data security, and ensure that sufficient training is provided for staff members;
-
Conduct regular risk assessments on data security for new systems and applications before launch, as well as regularly thereafter;
-
Implement a series of technical and operational security measures;
-
Properly manage data processors: A data user must adopt contractual or other means to prevent unauthorised or accidental access, processing, erasure, loss or use of the data transferred to the data processor;
-
Take timely remedial actions in the event of data security incidents, thereby reducing the gravity of harm that may be caused to the organisation and affected individuals; and
-
Regularly monitor, evaluate and improve compliance with data security policies.
For details, please download the “Guidance Note on Data Security Measures for Information and Communications Technology”:
https://www.pcpd.org.hk/english/resources_centre/publications/files/guidance_datasecurity_e.pdf
To assist organisations in preparing themselves in the event a data breach occurs, the PCPD has also issued the “Guidance on Data Breach Handling and Data Breach Notifications”, which contains practical recommendations to help organisations prepare data breach response plans and handle data breach incidents.
Please download the “Guidance on Data Breach Handling and Data Breach Notifications” from the website:
https://www.pcpd.org.hk/english/resources_centre/publications/files/guidance_note_dbn_e.pdf
-End-