
Hong Kong Sees Significant Rise in Data Breach Reports in 2023
In January 2024, the Office of the Privacy Commissioner for Personal Data (PCPD) published a report documenting a notable surge in data breach notifications over the past year. In 2023, the number of reported incidents jumped by nearly 50%, with 157 breaches compared to 105 in 2022. These incidents spanned a variety of causes, including hacking attempts, data losses, and accidental disclosures, impacting both public and private sector organizations. Notably, hacking cases saw the largest increase, rising from 29 to 64, and accounted for over 40% of all breaches reported in 2023.
Hong Kong 1H2024 Overview: Continued Rise of Data Breach Trends
Data breaches in Hong Kong reported show no signs of slowing down. According to a report by Surfshark’s Global Data Breach Analytics in July 20241, it revealed a 51% surge in breached accounts in Hong Kong during Q2 2024 compared to the previous quarter, with total breaches surpassing 1 million in just the first half of the year. Notable incidents during the year included breaches at BMW Hong Kong2, the Hong Kong Fire Department3, the Hong Kong Companies Registry4, Hong Kong College of Technology5, the Hong Kong Vocational and Continuing School6, among others.
Strengthening Data Privacy and Cybersecurity: Key Recommendations from the Commissioner Following Cyberport Ransomware Attack
Ahead of the one-year mark of the high-profile ransomware attack on Cyberport’s information systems, the PCPD released a comprehensive report outlining key findings and deficiencies that contributed to the breach. Notable issues included:
a. Over-retention of personal data beyond necessity.
b. Ineffective system detection measures.
c. Lack of multi-factor authentication for remote access.
d. Inadequate security audits.
d. Ambiguities in the security policy.
Enforcement Action. The investigation concluded that Cyberport violated Data Protection Principles (DPP) 2(2) and 4(1), failing to implement adequate security measures and unnecessarily retaining personal data. The Commissioner issued an enforcement notice requiring Cyberport to:
• Strengthen system security and detection measures.
• Implement multi-factor authentication for remote users.
• Conduct annual security audits by independent experts.
• Develop and implement comprehensive cybersecurity policies.
• Establish clear data retention policies and delete unnecessary personal data.
Additionally, the Commissioner recommended all organizations processing personal data adopt measures such as appointing Data Protection Officers, conducting regular risk assessments, establishing robust cybersecurity frameworks, and fostering a corporate culture that prioritizes information security.
The report emphasized the importance of proactive data protection and timely deletion of unnecessary data to mitigate the risks of cyberattacks.
Conclusion: Addressing the Evolving Threat Landscape
The surge in data breaches across Hong Kong highlights the urgent need for stronger data protection measures. The rise in high-profile incidents demonstrates an evolving threat landscape, emphasizing the importance of adopting comprehensive data privacy and cybersecurity practices.
The PCPD stressed the need for organizations to implement multi-factor authentication, conduct regular risk assessments, and provide rigorous employee training on data security. Additionally, establishing a Personal Data Privacy Management Programme and appointing Data Protection Officers (DPOs) are crucial steps for ensuring ongoing compliance and security vigilance.
As data breaches continue to rise, both public and private organizations must address vulnerabilities proactively. By adopting these recommendations, they can better protect personal data, fortify their defences against cyber threats, and foster a more secure digital environment.
- Hong Kong Business (2024, August). HK data breaches up by 51% in Q2 2024. https://hongkongbusiness.hk/information-technology/news/hk-data-breaches-51-in-q2-2024 ↩︎
- South China Morning Post (2024, July 25), Personal data of 14,000 BMW customers in Hong Kong leaked. https://www.scmp.com/news/hong-kong/law-and-crime/article/3271905/personal-data-14000-bmw-customers-hong-kong-leaked ↩︎
- South China Morning Post (2024, May 6), Hong Kong fire service reports potential leak of personal data of 5,000 staff, members of public. https://www.scmp.com/news/hong-kong/law-and-crime/article/3261641/hong-kong-fire-service-reports-potential-leak-personal-data-5000-staff-members-public ↩︎
- South China Morning Post (2024, May 3), Personal data of 110,000 people leaked after breach at Hong Kong’s Companies Registry, investigation finds. https://www.scmp.com/news/hong-kong/law-and-crime/article/3261403/personal-data-110000-people-leaked-after-breach-hong-kongs-companies-registry-investigation-finds ↩︎
- Hong Kong Free Press (2024, May 10), Hackers steal data on 8,100 Hong Kong students amid wave of cyberattacks. https://hongkongfp.com/2024/05/10/hackers-steal-data-on-8100-hong-kong-students-amid-wave-of-cyberattacks/
HKCert (2024, Aug 12), Ransomware’s New Front: Uncovering the Latest Threats Facing Hong Kong. https://www.hkcert.org/blog/ransomware-s-new-front-uncovering-the-latest-threats-facing-hong-kong ↩︎ - Hong Kong fire service reports potential leak of personal data of 5,000 staff, members of public. https://www.scmp.com/news/hong-kong/law-and-crime/article/3261641/hong-kong-fire-service-reports-potential-leak-personal-data-5000-staff-members-public ↩︎