Hong Kong IT sector legislator Charles Mok apologises after data of 15,000 people who signed his petition gets hacked
Personal details harvested in hack of Barcelona-based company that ran lawmaker’s petition against changes to voting times
The man representing Hong Kong’s IT sector in the city’s legislature apologised on Saturday after falling victim to a cyberattack that harvested the personal details of 15,000 people who signed an online petition he started.
The city’s privacy watchdog voiced concerns about the breach at a company used by Charles Mok, and a local cybersecurity expert has said the problems could be even more widespread, given the firm’s popularity with major companies.
The move by the Office of the Privacy Commissioner for Personal Data came hours after Mok issued his apology on Saturday night. He revealed that the personal data of about 15,000 city residents who signed his petition last year – including their names, opinions and 9,500 email addresses – had been hacked.
The petition was against a government plan to shorten polling times for city elections. The plan was eventually shelved in May after an overwhelming number of objections from people who feared the measure would strip shift workers of their voting rights.
While Mok emphasised his office had deleted all the data collected right after the campaign, the lawmaker said he was told on July 2 by Typeform – a Barcelona-based online survey service provider hosting the petition – that part of the data had been downloaded by hackers.
It was part of a much wider data breach at Typeform. Other victims included the Tasmanian Electoral Commission, budget hotel chain Travelodge, British grocer Fortnum & Mason and UK political party the Liberal Democrats.
“Information users should adopt all feasible security measures to ensure all personal data collected will not be accidentally revealed or leaked,” privacy commissioner Stephen Wong Kai-yi said on Saturday night.
“Even though a service contractor has been hired to handle the personal data, [the information user] should still use means such as contractual obligation to prevent ... the data being read, handled, deleted, lost or used accidentally or without permission.”
But Wong said it was good that Mok had informed the watchdog soon after he learned about the leak, adding his team would approach the lawmaker’s office and conduct a compliance assessment.
Mok said there was no evidence the leaked data had been used by criminals, but called on affected citizens to stay vigilant to scam and spam emails.
The internet entrepreneur also pledged to stop using Typeform’s services until it improves security, and pledged to thoroughly review the security of the different service providers he uses to prevent the incident from happening again.
Cybersecurity and hacking expert Anthony Lai Cheuk-tung, a security researcher at Valkyrie-X Security Research Group, said he feared the incident was only “the tip of the iceberg” as, he said, a lot of conglomerates – such as Apple – also use the service provided by Typeform.
Lai called on the privacy commissioner to tell Typeform to hand over a list of its Hong Kong clients. He added it would be better for information users to hire Hong Kong-based companies while gauging public views for campaigns.
“The users could demand such survey service providers delete the information straight away once the campaign ends, but some might not comply,” he said. “At least the city’s privacy commissioner could go after those companies, if they are based in Hong Kong.”
In a statement, Typeform said it was aware on June 27 that an unknown third party had gained access to its server and downloaded certain information, adding it had immediately cut off the source of the breach to prevent any further intrusion.