Media Statements
Privacy Commissioner’s Office Publishes (1) Checklist on Guidelines for the Use of Generative AI by Employees and (2) Investigation Findings on the Data Breach Incident of ImagineX Management Company Limited
Date: 31 March 2025
Privacy Commissioner’s Office Publishes (1) Checklist on Guidelines for the Use of Generative AI by Employees and (2) Investigation Findings on the
Privacy Commissioner’s Office Publishes (1) Checklist on Guidelines for the Use of Generative AI by Employees and (2) Investigation Findings on the
Data Breach Incident of ImagineX Management Company Limited
The Office of the Privacy Commissioner for Personal Data (PCPD) today published (1) the Checklist on Guidelines for the Use of Generative AI by Employees and (2) the investigation findings of the data breach incident of ImagineX Management Company Limited.
(1) Checklist on Guidelines for the Use of Generative AI by Employees
As the use of generative AI (Gen AI) has become increasingly prevalent in Hong Kong, many organisations are exploring ways to use Gen AI to enhance their competitiveness and drive digital transformation.
The Privacy Commissioner for Personal Data (Privacy Commissioner), Ms Ada CHUNG Lai-ling, said, “AI security is one of the important aspects of national security. In the areas of technological innovation and industrial innovation, the Country has all along put equal emphasis on development and security. The necessity to continuously advance the ‘AI Plus’ Initiative to unleash the creativity of the digital economy was specifically highlighted during the 2025 ‘two sessions’. To implement the spirit of the ‘two sessions’ and the Hong Kong Innovation and Technology Development Blueprint promulgated by the Government of Hong Kong, and to facilitate the safe and healthy development of AI in Hong Kong, the PCPD published the Checklist on Guidelines for the Use of Generative AI by Employees (Guidelines) today. The Guidelines aim to assist organisations in developing internal policies or guidelines on the use of Gen AI by employees at work while complying with the requirements of the Personal Data (Privacy) Ordinance (PDPO).”
Prof Hon William WONG Kam-fai, MH, member of the PCPD’s Standing Committee on Technological Developments and the Legislative Council, said, “The Country will continuously promote the ‘AI Plus’ Initiative, aiming to drive high-quality development through innovative applications, as well as explore and expand diverse application scenarios for AI. With the latest Budget proposing to develop AI fully, I believe that more and more organisations will integrate AI into their operational processes. The issuance of the Guidelines by the PCPD can help organisations and their employees use generative AI safely and protect personal data privacy, thereby fostering the safe application of AI across different sectors and accelerating the development of new quality productive forces.”
The Guidelines recommend that organisations cover the following aspects when developing their internal policies or guidelines on the use of Gen AI by employees, with key elements as follows:
The Guidelines also provide practical tips on supporting employees in using Gen AI tools, which include:
Download the “Checklist on Guidelines for the Use of Generative AI by Employees”: https://www.pcpd.org.hk/english/resources_centre/publications/files/guidelines_ai_employees.pdf
Apart from publishing the Guidelines, the PCPD launched the “AI Security Hotline” (2110 1155) today for organisations to make enquiries and to assist organisations in adopting AI while safeguarding the personal data privacy of individuals.
In addition, as announced earlier, the PCPD has launched the “Data Security Training Series for SMEs”, which will include a seminar on “Understanding Data Security and Privacy Risks related to AI for SMEs”. The PCPD will also organise AI seminars to introduce the Guidelines and continue to explain the content of the Model Framework published by the PCPD last year.
Furthermore, the PCPD will continue to organise in-house seminars for organisations. Organisations may contact the PCPD (https://www.pcpd.org.hk/english/education_training/seminars/in_house_seminar.html) to request the inclusion of the Guidelines and the Model Framework as part of the seminar content if necessary. In the first two months of 2025, the PCPD organised 31 in-house training sessions for a total of 28 organisations.
(2) Investigation Findings on the Data Breach Incident of ImagineX
The investigation arose from a data breach notification submitted by ImagineX Management Company Limited (ImagineX) to the PCPD on 31 May 2024, reporting that ImagineX received a ransom note from a threat actor on 15 May 2024, who claimed to have stolen its data and threatened to sell the data (Incident).
The investigation found that the threat actor compromised a temporary user account (Account) on 4 May 2024 that ImagineX had created on its firewall on 24 April 2024. The Account was created for its vendor for urgent remote support. However, the threat actor utilised the Account to gain access to ImagineX’s network. After gaining access, the threat actor performed lateral movement within ImagineX’s network and exploited a vulnerability in an application server that was running an end-of-support operating system to further penetrate the domain controller and other servers containing personal data. The investigation revealed that the Incident resulted in the exfiltration of around 68GB of data from ImagineX’s network. In the Incident, a total of four servers and five system accounts of ImagineX were compromised.
ImagineX is a brand management and distribution company for international fashion and beauty businesses and manages membership programmes for its partnered brands. The Incident affected two loyalty programmes operated by ImagineX, namely the ICARD membership and the Brooks Brothers membership. A total of 127,268 individuals were affected by the Incident, which included 100,185 ICARD members, 27,069 Brooks Brothers members, and 14 current and former employees of ImagineX, etc. The personal data affected included the names, email addresses, telephone numbers, birth months, genders, and nationalities of the members, as well as the passport copies of the employees, etc.
Following the Incident, ImagineX notified all the affected data subjects and provided support to them, which included dark web monitoring and setting up designated emails to handle relevant enquiries. ImagineX also implemented various remedial measures to enhance system security after the Incident, which included deleting the compromised Account, replacing the end-of-support application server, as well as deploying endpoint detection and response solution for real-time detection and analysis.
The PCPD conducted six rounds of inquiries and reviewed the information provided by ImagineX in relation to the Incident, including an incident report provided by an external cybersecurity expert engaged by ImagineX, and the follow-up and remedial actions taken by ImagineX in the wake of the Incident. The PCPD thanked ImagineX for its cooperation and the provision of the information and documents requested in the investigation. Having considered the circumstances of the Incident and the information obtained during the investigation, the Privacy Commissioner, Ms Ada CHUNG Lai-ling, found that the following deficiencies of ImagineX contributed to the occurrence of the Incident (see Annex 1 for details):-
Given that ImagineX, as a well-established brand management and distribution company for international fashion and beauty businesses, holds and processes a significant amount of personal data of customers and employees, the Privacy Commissioner, Ms Ada CHUNG Lai-ling, considered that stakeholders (in particular, customers) have a reasonable expectation for ImagineX to implement a high standard of data security measures for its information systems. However, the investigation found that the Incident was caused by human oversight and inadequate security measures to safeguard information systems. The Privacy Commissioner was of the view that if ImagineX had timely deleted the Account and decommissioned the end-of-support operating system before the Incident, the Incident could likely have been avoided.
Based on the above, the Privacy Commissioner found that ImagineX had not taken all practicable steps to ensure that the personal data involved was protected against unauthorised or accidental access, processing, erasure, loss or use, thereby contravening Data Protection Principle 4(1) of the PDPO concerning the security of personal data.
The Privacy Commissioner has served an Enforcement Notice on ImagineX, directing it to take measures to remedy the contravention and prevent recurrence of similar contraventions in the future.
The Privacy Commissioner, Ms Ada CHUNG Lai-ling, reminds all organisations which hold personal data to proactively adopt appropriate organisational and technical measures to strengthen the security of their information systems and defend against malicious attacks. In particular, organisations should:
(1) Checklist on Guidelines for the Use of Generative AI by Employees
As the use of generative AI (Gen AI) has become increasingly prevalent in Hong Kong, many organisations are exploring ways to use Gen AI to enhance their competitiveness and drive digital transformation.
The Privacy Commissioner for Personal Data (Privacy Commissioner), Ms Ada CHUNG Lai-ling, said, “AI security is one of the important aspects of national security. In the areas of technological innovation and industrial innovation, the Country has all along put equal emphasis on development and security. The necessity to continuously advance the ‘AI Plus’ Initiative to unleash the creativity of the digital economy was specifically highlighted during the 2025 ‘two sessions’. To implement the spirit of the ‘two sessions’ and the Hong Kong Innovation and Technology Development Blueprint promulgated by the Government of Hong Kong, and to facilitate the safe and healthy development of AI in Hong Kong, the PCPD published the Checklist on Guidelines for the Use of Generative AI by Employees (Guidelines) today. The Guidelines aim to assist organisations in developing internal policies or guidelines on the use of Gen AI by employees at work while complying with the requirements of the Personal Data (Privacy) Ordinance (PDPO).”
Prof Hon William WONG Kam-fai, MH, member of the PCPD’s Standing Committee on Technological Developments and the Legislative Council, said, “The Country will continuously promote the ‘AI Plus’ Initiative, aiming to drive high-quality development through innovative applications, as well as explore and expand diverse application scenarios for AI. With the latest Budget proposing to develop AI fully, I believe that more and more organisations will integrate AI into their operational processes. The issuance of the Guidelines by the PCPD can help organisations and their employees use generative AI safely and protect personal data privacy, thereby fostering the safe application of AI across different sectors and accelerating the development of new quality productive forces.”
The Guidelines recommend that organisations cover the following aspects when developing their internal policies or guidelines on the use of Gen AI by employees, with key elements as follows:
- Scope of permissible use of Gen AI: Specify the permitted Gen AI tools (which may include publicly available and/or internally developed Gen AI tools), the permissible purposes of use (for example, drafting, summarising information and/or creating textual, audio and/or visual content) and the applicability of the policies or guidelines;
- Protection of personal data privacy: Provide clear instructions on the types and amounts of information that can be inputted into the Gen AI tools (for example, whether to include personal data or other data), the permissible purposes for using the output information, the permissible storage of the output information, the applicable data retention policy and other relevant internal policies to comply with (for example, those on personal data handling and information security);
- Lawful and ethical use and prevention of bias: Specify that employees shall not use Gen AI tools for unlawful or harmful activities, emphasise that employees are responsible for verifying the accuracy of AI-generated outputs through ways such as proofreading and fact-checking, and for correcting and reporting biased or discriminatory AI-generated outputs, as well as providing instructions on when and how to watermark or label AI-generated outputs;
- Data security: Specify the types of devices on which employees are permitted to access Gen AI tools (for example, work devices provided by employers) and the categories of employees who are permitted to use Gen AI tools (for example, those who have operational needs, have received relevant training, and have prior permission), require employees to use robust user credentials, maintain stringent security settings in Gen AI tools, and report AI incidents (such as data breach incidents involving the use of AI, unauthorised input of personal data into Gen AI tools, abnormal output results and/or output results that may potentially breach the law) according to the organisation’s AI Incident Response Plan; and
- Violations of policies or guidelines: Specify the possible consequences of employees’ violations of the policies or guidelines, and refer to the PCPD’s “Artificial Intelligence: Model Personal Data Protection Framework” (Model Framework) for recommendations on establishing Gen AI governance structure and measures.
The Guidelines also provide practical tips on supporting employees in using Gen AI tools, which include:
- Enhancing transparency of the policies or guidelines: Regularly communicate the policies or guidelines to employees and keep employees informed of any updates in a timely manner;
- Providing training and resources for employees’ use of Gen AI tools: Educate employees on how to use Gen AI tools effectively and responsibly, including explaining the capabilities and limitations of the tools, providing practical tips and examples, and encouraging employees to read the privacy policies and terms of use of such tools, etc.;
- Providing a support team: Set up a designated support team to assist employees in using Gen AI tools in their work, provide technical assistance, and address employees’ concerns; and
- Establishing a feedback mechanism: Establish channels for employees to provide feedback to help the organisation identify areas for improvement and tailor internal policies or guidelines according to the circumstances.
Download the “Checklist on Guidelines for the Use of Generative AI by Employees”: https://www.pcpd.org.hk/english/resources_centre/publications/files/guidelines_ai_employees.pdf
Apart from publishing the Guidelines, the PCPD launched the “AI Security Hotline” (2110 1155) today for organisations to make enquiries and to assist organisations in adopting AI while safeguarding the personal data privacy of individuals.
In addition, as announced earlier, the PCPD has launched the “Data Security Training Series for SMEs”, which will include a seminar on “Understanding Data Security and Privacy Risks related to AI for SMEs”. The PCPD will also organise AI seminars to introduce the Guidelines and continue to explain the content of the Model Framework published by the PCPD last year.
Furthermore, the PCPD will continue to organise in-house seminars for organisations. Organisations may contact the PCPD (https://www.pcpd.org.hk/english/education_training/seminars/in_house_seminar.html) to request the inclusion of the Guidelines and the Model Framework as part of the seminar content if necessary. In the first two months of 2025, the PCPD organised 31 in-house training sessions for a total of 28 organisations.
(2) Investigation Findings on the Data Breach Incident of ImagineX
The investigation arose from a data breach notification submitted by ImagineX Management Company Limited (ImagineX) to the PCPD on 31 May 2024, reporting that ImagineX received a ransom note from a threat actor on 15 May 2024, who claimed to have stolen its data and threatened to sell the data (Incident).
The investigation found that the threat actor compromised a temporary user account (Account) on 4 May 2024 that ImagineX had created on its firewall on 24 April 2024. The Account was created for its vendor for urgent remote support. However, the threat actor utilised the Account to gain access to ImagineX’s network. After gaining access, the threat actor performed lateral movement within ImagineX’s network and exploited a vulnerability in an application server that was running an end-of-support operating system to further penetrate the domain controller and other servers containing personal data. The investigation revealed that the Incident resulted in the exfiltration of around 68GB of data from ImagineX’s network. In the Incident, a total of four servers and five system accounts of ImagineX were compromised.
ImagineX is a brand management and distribution company for international fashion and beauty businesses and manages membership programmes for its partnered brands. The Incident affected two loyalty programmes operated by ImagineX, namely the ICARD membership and the Brooks Brothers membership. A total of 127,268 individuals were affected by the Incident, which included 100,185 ICARD members, 27,069 Brooks Brothers members, and 14 current and former employees of ImagineX, etc. The personal data affected included the names, email addresses, telephone numbers, birth months, genders, and nationalities of the members, as well as the passport copies of the employees, etc.
Following the Incident, ImagineX notified all the affected data subjects and provided support to them, which included dark web monitoring and setting up designated emails to handle relevant enquiries. ImagineX also implemented various remedial measures to enhance system security after the Incident, which included deleting the compromised Account, replacing the end-of-support application server, as well as deploying endpoint detection and response solution for real-time detection and analysis.
The PCPD conducted six rounds of inquiries and reviewed the information provided by ImagineX in relation to the Incident, including an incident report provided by an external cybersecurity expert engaged by ImagineX, and the follow-up and remedial actions taken by ImagineX in the wake of the Incident. The PCPD thanked ImagineX for its cooperation and the provision of the information and documents requested in the investigation. Having considered the circumstances of the Incident and the information obtained during the investigation, the Privacy Commissioner, Ms Ada CHUNG Lai-ling, found that the following deficiencies of ImagineX contributed to the occurrence of the Incident (see Annex 1 for details):-
- Failure to delete temporary account timely after system troubleshooting;
- Use of end-of-support operating system;
- Ineffective detective measures for information systems; and
- Insufficient security risk reviews and audits for information systems.
Given that ImagineX, as a well-established brand management and distribution company for international fashion and beauty businesses, holds and processes a significant amount of personal data of customers and employees, the Privacy Commissioner, Ms Ada CHUNG Lai-ling, considered that stakeholders (in particular, customers) have a reasonable expectation for ImagineX to implement a high standard of data security measures for its information systems. However, the investigation found that the Incident was caused by human oversight and inadequate security measures to safeguard information systems. The Privacy Commissioner was of the view that if ImagineX had timely deleted the Account and decommissioned the end-of-support operating system before the Incident, the Incident could likely have been avoided.
Based on the above, the Privacy Commissioner found that ImagineX had not taken all practicable steps to ensure that the personal data involved was protected against unauthorised or accidental access, processing, erasure, loss or use, thereby contravening Data Protection Principle 4(1) of the PDPO concerning the security of personal data.
The Privacy Commissioner has served an Enforcement Notice on ImagineX, directing it to take measures to remedy the contravention and prevent recurrence of similar contraventions in the future.
The Privacy Commissioner, Ms Ada CHUNG Lai-ling, reminds all organisations which hold personal data to proactively adopt appropriate organisational and technical measures to strengthen the security of their information systems and defend against malicious attacks. In particular, organisations should:
- Adopt the “least privilege” principle and “role-based” access control mechanisms by regularly reviewing access rights and deleting unnecessary accounts;
- Cease the use of end-of-support software, or upgrade software timely;
- Implement effective measures to prevent, detect, and respond to cyberattacks to mitigate the risks of data breaches, including regular vulnerability scans and patching vulnerabilities timely; and
- Conduct comprehensive security risk reviews and audits for information systems regularly.
The Privacy Commissioner, Ms Ada CHUNG Lai-ling, published the “Checklist on Guidelines for the Use of Generative AI by Employees”.
The Privacy Commissioner, Ms Ada CHUNG Lai-ling, published the “Checklist on Guidelines for the Use of Generative AI by Employees”.
Member of the PCPD’s Standing Committee on Technological Developments and the Legislative Council, Prof Hon William WONG Kam-fai, MH, spoke at the media briefing.
The Privacy Commissioner, Ms Ada CHUNG Lai-ling (left) and member of the PCPD’s Standing Committee on Technological Developments and the Legislative Council, Prof Hon William WONG Kam-fai, MH (right), took photo at the media briefing.
The Privacy Commissioner, Ms Ada CHUNG Lai-ling (middle), members of the PCPD’s Standing Committee on Technological Developments, Prof Hon William WONG Kam-fai, MH (second right), Ir Alex CHAN (second left), Dr Alan CHEUNG (first right) and Dr Gregg LI (first left) attended the media briefing.
The Privacy Commissioner, Ms Ada CHUNG Lai-ling (left) and Chief Personal Data Officer (Compliance & Enquiries), Mr Brad KWOK Ching-hei (right), elaborated on the investigation findings of the data breach incident of ImagineX.
Annex 1
Data Breach Incident of ImagineX Management Company Limited
Deficiencies that Contributed to the Incident
-End-
The Privacy Commissioner, Ms Ada CHUNG Lai-ling, published the “Checklist on Guidelines for the Use of Generative AI by Employees”.
Member of the PCPD’s Standing Committee on Technological Developments and the Legislative Council, Prof Hon William WONG Kam-fai, MH, spoke at the media briefing.
The Privacy Commissioner, Ms Ada CHUNG Lai-ling (left) and member of the PCPD’s Standing Committee on Technological Developments and the Legislative Council, Prof Hon William WONG Kam-fai, MH (right), took photo at the media briefing.
The Privacy Commissioner, Ms Ada CHUNG Lai-ling (middle), members of the PCPD’s Standing Committee on Technological Developments, Prof Hon William WONG Kam-fai, MH (second right), Ir Alex CHAN (second left), Dr Alan CHEUNG (first right) and Dr Gregg LI (first left) attended the media briefing.
The Privacy Commissioner, Ms Ada CHUNG Lai-ling (left) and Chief Personal Data Officer (Compliance & Enquiries), Mr Brad KWOK Ching-hei (right), elaborated on the investigation findings of the data breach incident of ImagineX.
Annex 1
Data Breach Incident of ImagineX Management Company Limited
Deficiencies that Contributed to the Incident
- Failure to delete temporary account timely after system troubleshooting: Although ImagineX acknowledged that the Account, which provided always-enabled remote access connection, posed a risk of unauthorised access to its network by third parties, ImagineX failed to delete the Account timely after system troubleshooting owing to staff oversight, which ultimately allowed the threat actor to exploit the Account to compromise ImagineX’s network 10 days after setting up the Account. In addition, ImagineX lacked standard procedures for creating and managing such temporary accounts, thus making the deletion of temporary accounts dependent solely on the measures taken by individual staff member;
- Use of end-of-support operating system: Despite being aware that security updates for the operating system of the application server had no longer been available since December 2020, ImagineX planned to replace the said application server by the end of 2024 because of resource considerations. In other words, the application server was exposed to risk for over three years. This allowed the threat actor to exploit the vulnerability of the relevant server to penetrate ImagineX’s network, resulting in the exfiltration of personal data;
- Ineffective detective measures for information systems: ImagineX only reviewed firewall logs on a need basis, thus it failed to detect the exfiltration of around 68GB of data from its network until it received the ransom note from the threat actor; and
- Insufficient security risk reviews and audits for information systems: ImagineX did not conduct comprehensive reviews and audits on the security postures of systems containing personal data. This resulted in the failure to identify vulnerabilities and implement necessary improvement measures to protect systems containing personal data from cyberattacks.
-End-