Step up cybersecurity measures to prevent personal Hong Kong data leaks

Three serious Hong Kong government breaches in a week are an embarrassment and highlight need for public and private sectors to eliminate latest risks

SCMP Editorial

Published: 6:15am, 10 May 2024

Why you can trust SCMP

The prime responsibility of any organisation that collects, stores and uses people’s personal details is to take every step necessary to ensure the information is kept safe and secure. Successive Hong Kong government departments have, however, failed to honour this basic requirement, experiencing a series of embarrassing data leaks. It is an unacceptable state of affairs.

Details of three serious breaches were revealed last week. The Companies Registry leaked the data of 110,000 people, including names, passport and identity card numbers.

Personal information of 17,000 residents collected during the pandemic in 2022 was exposed by the Electrical and Mechanical Services Department following an error in the password login system. And the Consumer Council breached privacy rules when details of more than 170 people were leaked in a cybersecurity attack.

This week, the Fire Services Department joined the list, revealing a potential data leak involving details of more than 5,000 staff and residents.

Ada Chung Lai-ling, Hong Kong’s personal data privacy commissioner, at a press conference on a data leak investigation report in Wan Chai. Details of three serious breaches were revealed last week. Photo: Yik Yeung-man

The blunders are part of a series of disturbing breaches in recent months in the public and private sectors. Some were due to human error and others the result of a vulnerable system.

There is an urgent need for porous defences to be strengthened. Our privacy is at stake.

All government bureaus and departments have been ordered by its top information technology unit to review the security of their systems and to report back within a week. This is a necessary first step.

But much more needs to be done. Departments also have been reminded to strictly comply with the government’s rules, policies and guidelines on data security.

They should not need to be told.

Chief Executive John Lee Ka-chiu said in his policy address last year that a new digital policy office would be established to steer and monitor IT-related affairs across the government. Photo: Yik Yeung-man

The repeated leaks raise broader questions about the way in which the government handles personal data security. Some have called for cybersecurity protection to be centralised to ensure better coordination and control.

This is a sensible suggestion.

Chief Executive John Lee Ka-chiu announced in his policy address last year that a new digital policy office would be established to steer and monitor IT-related affairs across the government. It is due to be established soon.

The new office must hit the ground running and make cybersecurity its priority.

New policies must be quickly introduced. People’s personal data should no longer be put at risk.

There must be greater community awareness of the need to ensure systems are watertight. Efforts to promote cybersecurity should be stepped up and training provided.

The risks posed by cyberattacks are growing globally and the hackers are becoming more sophisticated. It is important for all organisations collecting personal data to keep pace with developments and ensure the information is safe.

Post