Privacy watchdog publishes investigation report on URA leak

The Office of the Privacy Commissioner for Personal Data (PCPD) announced on Thursday that it had completed an investigation into the Urban Renewal Authority (URA) data leak incident and released its findings today. Additionally, the privacy watchdog also issued updated "Guidance on Cloud Computing."

The investigation was initiated following a data breach notification from the URA to the PCPD on May 13, 2024. The notification reported that the personal data of the public, stored on a cloud platform by the URA, could be accessed by anyone without needing to input an account or password.

The URA utilized the e-Form platform associated with the cloud platform ArcGIS Online to create two e-forms for briefing sessions on the property acquisition under the Nga Tsin Wai Road / Carpenter Road Development Scheme. These e-forms were launched on May 2, 2024, for owners, tenants, and shop operators to register for the briefing sessions.

Following a notification from the Police on May 3, 2024, that some of the data from the e-forms might have been leaked, the URA immediately stopped using the ArcGIS Online platform and deleted the personal data stored therein.

The URA later discovered that the personal data of individuals who registered for the briefing sessions was accessible to anyone without logging into an account with a password. Consequently, they submitted a data breach notification to the PCPD on May 13, 2024.

In response to the incident, the URA conducted a joint investigation with the contractor that provided the e-Form Platform. They discovered that there were different versions of the software for the e-Form Platform, with the new version available since July 2022. Notably, the default data-sharing settings differed between the old and new versions. The URA had used an older version of the software, which did not include the enhanced data protection features of the new version. Additionally, the URA acknowledged that its staff lacked sufficient knowledge and understanding of the software versions when testing the e-forms, leading to inadequate review of the data-sharing settings and insufficient security testing.

The URA agreed that the incident would not have occurred if the latest version of the e-Form Platform had been used.

Throughout the investigation, the PCPD conducted five rounds of inquiries with the URA and approached the contractor twice to obtain relevant information about the incident. The primary causes identified were the failure to update the software promptly and a lack of understanding of the software used to collect personal data.

As a result, the Privacy Commissioner found that the URA had not taken all practicable steps to ensure the protection of personal data against unauthorized or accidental access, processing, erasure, loss, or use, thereby contravening the Data Protection Principle of the Personal Data Ordinance concerning the security of personal data.

The Privacy Commissioner has issued a warning letter to the URA, requesting it to implement measures to enhance the protection of personal data to prevent future contraventions.

In light of the increasing use of cloud computing services, the PCPD has also updated the Guidance on Cloud Computing to clarify the ordinance's requirements applicable to cloud computing and assist organizations in enhancing personal data privacy protection. The updated Guidance provides recommended measures covering service and deployment models, standard services and contracts, and outsourcing arrangements.

The URA has acknowledged the PCPD's investigation findings, admitting that the incident could have been avoided with timely software updates and better knowledge of data-sharing settings. 

The URA stated that since the incident, it has deactivated the involved cloud platform, deleted the affected data, reported the situation to the PCPD, issued a public notice, and personally apologized to the impacted parties. They have also engaged with the cloud service vendor to prevent future breaches. 

Moving forward, the URA is committed to enhancing data protection measures, learning from this incident, and fostering a culture that prioritizes privacy security to reduce the risk of similar occurrences.