Online platform Carousell violated Hong Kong privacy laws, watchdog finds, after data of over 320,000 locals leaked
- Office of the Privacy Commissioner for Personal Data says second-hand goods selling platform Carousell reported breach relating to 2.6 million global users in October
- More than 320,000 affected locally, watchdog says, with company served enforcement notice to ensure it remedies situation and prevents its recurrence
Popular online marketplace Carousell violated Hong Kong’s privacy laws, a watchdog said on Thursday, following the discovery of the personal data of more than 320,000 local users on sale on the dark web.
The Office of the Privacy Commissioner for Personal Data announced the findings from its investigation into the leak, which the platform reported in October last year, calling the incident “serious” given its scale.
“With regards to the information leaked, it involves email addresses, phone numbers, birthdays, birth months and years,” privacy commissioner Ada Chung Lai-ling said.
“We think this situation is serious, especially since it involves more than 320,000 users.”
Record 73% of Hong Kong companies hit by cyberattacks in past year: watchdog poll
Carousell discovered in October 2022 that the personal data of 2.6 million users, among which 324,232 were from the city, was being sold online. The platform told the watchdog and the affected users following the incident.
Chung said Carousell had noted that the leak was linked to a loophole in its system migration process that began in January 2022, which hackers exploited in May and June last year to steal personal information that was not available to other users.
The issue was only discovered and resolved in September last year while the platform was testing a new feature, but it was determined at the time that the loophole had not been exploited.
Chung said leaked information could allow criminals to do many things, including directly contacting those involved, stealing their identity to scam others and accessing other accounts belonging to them.
The office, which enforces the Personal Data (Privacy) Ordinance, found that the platform was in breach of a data protection principle concerning the security of such information.
It said evidence showed the company had made several errors leading to the hacking, including failing to check whether a comprehensive code review process was carried out, not ensuring there was a thorough security assessment and not having an effective detection mechanism in place.
“In conclusion, the data leakage incident has revealed that Carousell has made fundamental errors in protecting the safety of the personal data held by this group. It is very disappointing,” Chung said.
“I believe that if there were some general risk and safety assessment measures at the time, the incident could have been avoided.”
Personal data of 25,000 Hongkongers at risk after cyberattack against watchdog
The watchdog said whether the data had been sold on the dark web was not the subject of its investigation, but warned that part or all of the information could have been bought as it was online.
Chung advised affected users to beware of suspicious calls and emails, check their bank accounts from time to time, change their passwords and enable multi-factor authentication for their other accounts.
The watchdog has served an enforcement notice to the platform demanding that it carry out a series of measures to remedy the situation and prevent its recurrence, which includes hiring an independent data security expert and devising local guidelines to ensure the information security of users.
It said the platform had two months from the date the notice was issued to submit documents to prove it had completed the required actions.
Hong Kong Consumer Council falls victim to hackers 1 month after tech hub attacked
A Carousell spokeswoman said the company respected the written judgment from the office and that it would review the recommendations and continue to work closely with the watchdog.
“Protecting our users’ personal information has been and will always be of paramount importance to us,” she said.
“To ensure that we maintain a robust and effective security posture, we continually invest significant resources in enhancing our security infrastructure and cybersecurity efforts.”
Separately, the watchdog also revealed the findings of another investigation that looked into four complaints related to the use of personal data in human resources management, including two cases where supervisors improperly disclosed details of employees’ illnesses in chat groups on instant messaging apps.
Data stolen from Hong Kong Cyberport includes staff details, credit card records
One of the cases involved a worker at Kwong Wah Hospital who asked his department manager for sick leave through an instant messaging app on two occasions. His direct supervisor then forwarded the messages to a chat group with 47 members of staff who worked in the same department, according to the watchdog.
Referring to the two cases, Chung urged employers and those in human resources to be careful when handling health-related information and advised against spreading such personal details on a messaging app.
“Even though you may need to disclose some information to other workers to arrange for staff redeployment, there is no need at all for the employer or for human resources managers to disclose the physical condition of the employee in question to other workers,” she said.
Previous large-scale data leaks in Hong Kong included some public institutions hit by ransomware attacks such as the consumer watchdog and tech hub Cyberport.
In the Cyberport incident, hackers reportedly demanded a ransom of HK$2.35 million (US$300,500) after stealing more than 400 gigabytes of information.
