On completion of its investigation into the data breach incident of the Companies Registry (the Registry), the Office of the Privacy Commissioner for Personal Data (PCPD) published the investigation findings today.
The investigation arose from a data breach notification submitted by the Registry to the PCPD on 19 April 2024, reporting the risk of personal data leakage identified in the e-Search Services of the e-Services Portal (the Incident).
Background
On 27 December 2023, the Registry launched its fully revamped “Integrated Companies Registry Information System” (the relevant system) together with the “e-Services Portal” to provide users with electronic search and document submission services. Subsequently, during routine work on 18 April 2024, the Registry discovered that the e-Search Services of the “e-Services Portal” transmitted additional personal data to searchers’ computers, other than the relevant search information. However, the personal data concerned was not directly displayed on the search result pages, searchers needed to open the web developer tool
[1], which was rarely used by general users, on the search result pages, used the search function within different panels of the web developer tool and entered part of the personal data concerned (such as partial Hong Kong Identity (HKID) Card Numbers) to locate the “additional” personal data. Furthermore, searchers could also access some of the “additional” personal data using robotic search
[2]. In addition, the same issue was also identified in the electronic submission of notices relating to the third parties appointed by licensed money lenders.
Investigation Findings
The PCPD conducted four rounds of enquiries with the Registry and approached the contractor engaged by the Registry for the revamp of the relevant system (the Contractor) twice to obtain information regarding the Incident. The PCPD also reviewed over 1,500 pages of documents provided by the Registry, including the service contract between the Registry and the Contractor, and design and test reports of the relevant system, etc. The PCPD thanked the Registry and the Contractor for their cooperation and the provision of the information requested in the investigation.
According to the information provided by the Registry and the Contractor, the Incident stemmed from the use of common modules (常用模組) in designing the affected functions of the relevant system without removing excessive data fields, which resulted in the transmission of “additional” personal data to searchers’ computer. The investigation revealed that this issue had been present since the launch of the relevant system (i.e. 27 December 2023). However, the “additional” information concerned was not directly displayed on the search result pages, and there was no evidence to suggest that the “additional” personal data was subject to any unauthorised or accidental access.
A total of 109,002 individuals might have been affected by the Incident. The personal data involved included the HKID Card numbers, passport numbers and/or usual residential addresses (URAs) of 108,575 directors of companies; the HKID Card numbers and/or passport numbers of 217 disqualified persons, applicants of money lenders, and third parties appointed by licensed money lenders; and the names, telephone numbers and/or email addresses of 210 contact persons of money lenders. The investigation revealed that nearly 90% of the personal data involved, including the personal data of directors of companies, was available for inspection in the images of documents registered with the Registry.
In the aftermath of the Incident, the Registry has notified all individuals who might have been affected by the Incident, immediately rectified the relevant system design, engaged an independent third party to conduct a comprehensive review of the relevant system and took remedial actions to prevent recurrence of similar incident.
Having considered the circumstances of the Incident and the information obtained during the investigation, the PCPD’s observations regarding the Incident are as follows:-
Data Protection Principle (DPP) 4(1) of Schedule 1 to the Personal Data (Privacy) Ordinance (PDPO) requires a data user to take all practicable steps to ensure that personal data held by the data user is protected against unauthorised or accidental access, processing, erasure, loss or use.
The PCPD’s investigation revealed that there is no evidence to suggest that the “additional” personal data had been subject to any unauthorised or accidental access. Based on the information obtained during the investigation and the relevant facts,
the PCPD noted that the Registry implemented a series of security measures in the revamp of the relevant system, which included incorporating contractual requirements on the security measures that should be taken by the Contractor in the revamp of the relevant system, the tests and assessments conducted by both the Registry and the Contractor prior to the launch of the relevant system, as well as the additional code reviews.
Based on the above findings, the PCPD considered that there is insufficient evidence to suggest that the Registry failed to take all practicable steps to safeguard the personal data held by it during the process of revamp of the relevant system which amounts to contravention of DPP 4(1). Notwithstanding the above, in light of the fact that there was indeed a risk of personal data leakage associated with the relevant system, the PCPD provided advice to the Registry to conduct regular and thorough reviews on any systems containing personal data to ensure that they are free from other system design and security vulnerabilities.
Given that the Privacy Commissioner for Personal Data, Ms Ada CHUNG Lai-ling, was appointed as the Registrar of Companies before September 2020, Ms CHUNG was not involved in this investigation to avoid any possible conflict. This investigation was led and conducted by the Assistant Privacy Commissioner for Personal Data (Legal) (Acting), Ms Fiona LAI Ho-yan, and Chief Personal Data Officer (Compliance & Enquiries), Mr Brad KWOK Ching-hei.
Commenced Compliance Check against Deliveroo
In addition, takeaway delivery platform Deliveroo recently announced that it would be ceasing its operations in Hong Kong, which may affect the personal data privacy rights of its customers and delivery riders. The PCPD has commenced a compliance check against Deliveroo in accordance with established procedures to gather more information, with a view to assisting the relevant merchants, including the operator taking over the business, in handling, deleting or transferring the personal data of customers and delivery riders in compliance with the requirements of the PDPO. The compliance check has been commenced to ensure that the personal data concerned would not be misused, leaked or fallen into the hands of fraudsters for fraudulent activities. The PCPD appeals to the affected customers and delivery riders to make enquiries with the relevant merchants or the PCPD (telephone:2827 2827 or email: communications@pcpd.org.hk) if they are concerned about how the merchants handle their personal data.