Editorial | Carousell hack calls for better Hong Kong security and enforcement action
- Lessons must be learned from a privacy breach at an online marketplace that saw details of city users compromised as well as from the probe that followed
From shopping and banking, the internet has made life more convenient. But it has also made us more vulnerable to online scams and privacy leaks, as shown in the rising numbers of reports over the years.
The latest privacy breach involving a popular online marketplace shows there is still room for improvement, not only in terms of compliance, but also in the handling of the case by the statutory watchdog. The need for better safeguards and enforcement cannot be overstated.
It was bad enough when a loophole in the Carousell system resulted in the personal data of 320,000 local users being put up for sale on the dark web. Worse, the incident only came to light last week when the Office of the Privacy Commissioner for Personal Data announced its findings after a year-long investigation.
Describing the violation as “serious”, the office revealed Carousell first reported in October last year that the personal data of 2.6 million users worldwide, including 324,232 from Hong Kong, was being sold online. It included email addresses, phone numbers and birthdays.
According to the report, hackers exploited a loophole in the system migration process that began in January 2022 and stole the personal details in May and June. The problem was only discovered and resolved in September last year while the platform was testing a new feature, but it was determined at the time that the loophole had not been exploited.
