Online platform Carousell violated Hong Kong privacy laws, watchdog finds, after data of over 320,000 locals leaked
- Office of the Privacy Commissioner for Personal Data says second-hand goods selling platform Carousell reported breach relating to 2.6 million global users in October
- More than 320,000 affected locally, watchdog says, with company served enforcement notice to ensure it remedies situation and prevents its recurrence
Popular second-hand goods selling platform Carousell violated Hong Kong’s privacy laws, a watchdog on Thursday said, following the discovery of the personal data of more than 320,000 of its local users available for sale on the dark web.
The Office of the Privacy Commissioner for Personal Data announced the findings from its investigation into the leak, which was reported by Carousell in October, calling the incident “serious” given its scale.
“With regards to the information leaked, it involves email addresses, phone numbers, birthdays, birth months and years,” commissioner Ada Chung Lai-ling said.
“We think this situation is serious, especially since it involves more than 320,000 users.”
Carousell discovered in October that the personal data of 2.6 million users, among which 324,232 were from the city, was being sold online. The platform informed the watchdog and the affected users following the incident.
Chung said Carousell had noted that the leak was linked to a loophole in its system migration process.
Chung said leaked information could allow criminals to do many things, including directly contacting those involved, stealing their identity to scam others and accessing other accounts belonging to them.
The Office of the Privacy Commissioner for Personal Data, which enforces the Personal Data (Privacy) Ordinance, found that the platform was in breach of the data protection principle concerning the security of such information.
The watchdog has served an enforcement notice to the platform demanding that it carry out a series of measures to remedy the situation and prevent its recurrence, which includes hiring an independent data security expert and devising local guidelines to ensure the information security of users.
It said the platform had two months from the date the notice was issued to submit documents to prove it had completed the required actions.
