Lawmakers and IT experts have raised concern over the serious implications of the loss of personal data of electors and registered voters in the wake of Sunday’s chief executive election.
They said the incident, considered by some as the most massive case of electronic information loss in Hong Kong so far, resulted from the violation of the most basic security procedures and could have a grave impact on the privacy and security of those affected.
In a statement on Monday, the Registration and Electoral Office (REO) confirmed that two laptop computers containing information on all the 1,200 Election Committee members and more than three million registered voters, have gone missing, Ming Pao Daily reports.
A police investigation is underway.
According to the REO, its staff put the two laptops in a locked room equipped with closed-circuit television cameras at the AsiaWorld-Expo, the fallback venue for Sunday’s chief executive election.
But when the staff picked up materials from the venue on Monday morning, they found that the two computers were no longer there and probably stolen.
It apologized to all those affected by the incident, saying it is fully assisting in the police investigation and will submit reports to the Electoral Affairs Commission and the Constitutional and Mainland Affairs Bureau after conducting a thorough review of the department’s arrangements for handling voter registration information.
One of the laptops contains the names of Election Committee members with no other personal information while the other contains the names, addresses and Hong Kong Identity Card numbers of electors of geographical constituencies, which have been encrypted in accordance with the relevant security requirements, the REO said.
The agency stressed that all the information in the missing computers is protected by multiple encryptions which are extremely difficult to break through, and that no voting records are stored in the computers.
It said it would notify the affected electors of the incident as soon as possible.
However, the REO failed to explain why the laptops containing such important data were brought to the alternative venue at AsiaWorld-Expo, instead of placing them at the Hong Kong Convention and Exhibition Center, where the election was held, and why it did not report the loss to the police until several hours later.
Besides, according to established procedures, the information in the laptops should have been deleted as soon as the election was completed.
Civic Party legislator Dennis Kwok Wing-hang has asked the Legislative Council to hold an emergency session on Wednesday to discuss the incident.
Legislator Charles Mok Nai-kwong, who represents the information technology sector, said he was worried about the risk that the information might be misused or sold for unauthorized purposes since encryptions are not foolproof.
Mok said he has written to Raymond Tam Chi-yuen, Secretary for Constitutional and Mainland Affairs, for explanations and details of the case.
The Office of the Privacy Commissioner for Personal Data said it received two complaints and two inquiries regarding the incident as of Tuesday afternoon.
A source said investigators from the crime unit of the New Territories South Regional Police Headquarters were focusing on four REO employees who were the only ones who had access to the room where the laptops were placed, although the possibility that some other people could also have entered the room is not ruled out.
Criticizing the REO for making a “low-level” mistake, Anthony Lai, a computer security expert, told Apple Daily that all major banks and multinational corporations have a common rule that customer data should never be saved in laptops but in servers because laptops are considered most unsafe for storing data.
He personally suspected that there was a political motive behind the theft, noting that the personal information, if they fall into the wrong hands, could result in monetary loss for some electors, or cause them to be followed or monitored.
– Contact us at firstname.lastname@example.org