Negligence suspected in HKU data theft
Irene Jay Liu
A huge loss of students' personal data at the University of Hong Kong last week may have involved staff negligence, the university has said.
The university said that the data loss 'may have involved negligence of the staff member' and the way the data had been stored and transported was 'not in line with the approved practice'.
University guidelines ban the unauthorised downloading and removal of data and files from the office. Data should be encrypted and stored in locked cabinets, according to a University of Hong Kong spokeswoman.
A USB memory stick containing student and applicant data and the paper files of nine students were stolen from an HKU employee at a Causeway Bay mall.
The breach affected about 6,800 students and applicants.
The employee who lost the data works for the Faculty of Social Sciences and is responsible for processing students' and applicants' data. The staff member has received a warning letter and the school is considering further disciplinary action.
The data included current and previous-year applicants to the Faculty of Social Sciences postgraduate programme, as well as every social science postgraduate since 2006.
The data loss affects both local and international applicants, 40 per cent of whom are from the mainland.
The data exposure also affects some students enrolled in 2004 and 2005.
The university announced the data loss last Thursday night, two days after the incident happened.
In an e-mail, faculty secretary Amy Tsang told those affected that 'the lost data includes the personal particulars contained in your application forms (such as contact details, ID card number, etc)'.
But the university did not explain the full extent of the data in the lost memory stick, which contained most of the personal data submitted on the online application forms for 2011-2012 applicants to the Faculty of Social Sciences. It included their full names, addresses, phone numbers, Hong Kong ID and passport numbers.
No data about application fee payments, such as bank or credit information, was exposed. Limited data was lost for applicants from the previous year.
Some of the paper files of nine current students included their original application form and their correspondence addresses.
HKU said it had reported the theft to the police and the Office of the Privacy Commissioner for Personal Data.
The office had launched a compliance check on the incident, a spokeswoman said.
The theft is still under investigation and no arrests have been made.
The number of people who were affected by the theft of the memory stick last week: 6,800
Jun 2010 Medical records and personal information of 3,000 eye patients from Caritas Medical Centre suspected to have been stolen
Mar 2009 A doctor at the United Christian Hospital loses USB memory stick containing patients' medical records
Jul 2008 HSBC digital tape containing 25,000 recorded phone conversations lost while being couriered from Guangzhou to Hong Kong
Apr 2008 HSBC loses a computer server during renovations at its Kwun Tong branch. It contained customer names, numbers and transaction information of 159,000 accounts.