South China Morning Post
Advertisement
Advertisement
Hong Kong society
Get more with myNEWS
A personalised news feed of stories that matter to you
Learn more
The Electrical and Mechanical Services Department’s headquarters in Kowloon Bay. Photo: Handout
Hong KongSociety

Hong Kong privacy watchdog to grill authorities over ‘serious’ leak of 17,000 people’s data

  • Privacy commissioner Ada Chung urges Electrical and Mechanical Services Department to notify all affected individuals, hours after latter issues apology
  • Data includes names, telephone numbers, identity card numbers and addresses of public housing tenants collected for testing orders during Covid-19 pandemic
Hong Kong society
Jeffie Lam
Jeffie Lam
Why you can trust SCMP
Hong Kong’s privacy watchdog will investigate a “serious” data leak involving the personal information of 17,000 residents collected during the Covid-19 pandemic that resulted from an error in a government department’s password login system.

Privacy Commissioner for Personal Data Ada Chung Lai-ling on Friday also urged the Electrical and Mechanical Services Department to notify all affected individuals, hours after the latter issued an apology over the incident.

The system security failure led to the exposure of personal information, such as names, telephone numbers, identity card numbers and addresses, collected during “restriction-testing declaration” operations between March and July of 2022.

Authorities conducted such operations at the height of the pandemic as part of testing orders that locked down buildings until all occupants had been tested for the virus.

“We think the situation is serious. We will follow our procedures and commence an investigation,” Chung told a radio programme.

“We have suggested the department notify affected individuals as there are relatively more people affected.”

The leak consisted of data from residents living at 14 public housing blocks subject to restriction-testing declaration operations. Those affected included tenants at Yan Ching House in Kai Ching Estate, Oi Ming House in Yau Oi Estate and Kwong Wai House in Kwong Fuk Estate.

The department said on Thursday that the watchdog had notified it after receiving a public report data stored on a designated online server that was supposed to be restricted to authorised personnel was accessible without a password login.

“The Electrical and Mechanical Services Department immediately checked and found that the password login system had failed. The data could be browsed without entering any password but they were not downloadable,” it said, adding the data had been removed.

“The [department] expresses its sincere apologies for the incident.”

The data was collected as part of testing orders during the pandemic. Photo: K. Y. Cheng

The case had been reported to police, the Office of the Government Chief Information Officer and the Security Bureau, it said.

The department said there was currently no evidence to suggest the data had been published elsewhere, adding it would notify the relevant households.

Additional reporting by Edith Lin

Post