Hong Kong privacy watchdog blasts electoral office for massive data breach

Officials under fire for keeping details of all city’s 3.78 million on voters on laptop that was stolen the day after chief executive election

PUBLISHED : Monday, 12 June, 2017, 9:52pm
UPDATED : Monday, 12 June, 2017, 10:12pm

A report by the Privacy Commissioner found the electoral office failed to take adequate steps to protect the personal data of Hong Kong’s 3.78 million voters stored in one of two laptop computers that were stolen during the chief executive election in March.

The report, released on Monday, accused the Registration and Electoral Office of lacking “the requisite awareness and vigilance expected of it in protecting personal data”.

The commissioner ruled the office had broken the data protection principle of the Personal Data (Privacy) Ordinance.

Arguably the worst personal data breach in Hong Kong, the incident came to light on March 27 when electoral officers went to pack up at the AsiaWorld-Expo, fallback venue for the election of the city’s leader the day before. Two notebook computers stored in a room were missing, presumably stolen.

Hong Kong firms urged to sharpen focus on cybersecurity

One contained the names of the roughly 1,200 members of the Election Committee that picks the chief executive. The other contained information about all Hong Kong’s registered voters, including their names, addresses, ID card numbers, and the geographical constituencies in which they were registered.

Police classified the case as theft.

In a special Legislative Council panel meeting in April, electoral officials claimed the practice of storing all voters’ data in a computer was for cross-checking information of Election Committee members when needed. They maintained the risk of a leak was low because the data had undergone “multiple layers of encryptions”.

But the Privacy Commissioner’s report criticised this practice, saying it was “not well thought out or adaptive to the special circumstances of the case”.

The commissioner has served an enforcement notice on the electoral office, directing it to take remedial and preventive measures, including no longer using data of the wider electorate when handling inquiries in chief executive elections.

As for the loss of the computer containing the names of Election Committee members, the commissioner was satisfied there was no breach of privacy regulations as information was were already publicly available.

A spokesman for the Constitutional and Mainland Affairs Bureau said it would study the report and follow up on the recommendations.

A separate government task force looking into the incident is expected to release its report on Tuesday.