Data breach cases hit record high last year, says privacy chief

February 01, 2019 12:31
Privacy Commissioner for Personal Data Stephen Wong is asking for a bigger allocation for his office to boost his staff by at least 50 percent. Photo: HKEJ

Hong Kong saw a record-breaking number of data breach notifications last year, while complaints about such breaches also increased significantly, the Hong Kong Economic Journal reports, citing official data. 

Several large-scale data breach incidents also emerged last year, raising public concern. Companies involved included Cathay Pacific Airways (00293.HK) and consumer credit reporting agency TransUnion. 

A total of 129 data breach incidents were reported to the Office of the Privacy Commissioner for Personal Data last year, up from only 30 in 2010

The number of cases last year was 22 percent more than in 2017, when 106 such incidents were reported. 

The data breach incidents included hacking, system misconfiguration, loss of documents or portable devices, inadvertent disclosure of personal data by fax, email or post, etc. 

The office also received a total of 1,890 complaints last year, up 23 percent from 1,533 in 2017.  

Of these complaints, 501 involved the use of information and communications technology in 2018. That's more than a twofold jump from 237 a year earlier. 

The office conducted 289 compliance checks and four compliance investigations last year. 

Summing up his office’s work in a media gathering on Thursday, the Privacy Commissioner for Personal Data Stephen Wong Kai-yi said the large-scale data breach incidents that happened last year underscored the need for organizations to enhance data security.

“Organizations must constantly bear in mind the fact that personal data belongs to the individuals, and hence there is sufficient legal and ethical basis to control the entire life cycle of personal data,” Wong said. 

Organizations have both statutory and ethical responsibilities to collect, handle and safeguard personal data properly, he added. 

The privacy chief declined to comment on individual cases still under investigation, saying that even if the investigations are completed, the matter of issuing a public report will depend on whether doing so is in the public interest, which is different from letting people know what they want to know. 

In November, Wong said Cathay Pacific may have violated privacy rules following a data breach involving 9.4 million passengers. The airline faced criticism for the seven-month delay in reporting the incident. 

In another case, the Hong Kong unit of the US consumer credit reporting agency TransUnion was forced to suspend its online services after it emerged that Chinese-language newspaper Ming Pao was able to obtain the personal credit records of a number of public figures, including Chief Executive Carrie Lam Cheng Yuet-ngor and Financial Secretary Paul Chan Mo-po

Wong said his office has not expanded in size while its workload has been on the rise in recent years. As such, Wong said, he hopes the government can allocate more resources to the office, including increasing the number of its staff, 69 at present, by at least 50 percent. 

As to criticisms that the office is a “toothless tiger” because it has limited powers, Wong said he is pushing for amendments to the Personal Data (Privacy) Ordinance. 

Public consultation on the revision of the ordinance is now in its final stage and is expected to be completed in the first half of this year, he added. 

– Contact us at [email protected]