Read More
Night Recap - July 7, 2026
3 hours ago
Domestic helpers' union seeks $6,670 minimum wage
05-07-2026 19:27 HKT




There were five deficiencies behind Cyberport’s defense against the cyber attack last September, which involved the personal data of some 13,000 people, with data being kept unnecessarily despite having expired the statutory time limit for record keeping, Hong Kong’s privacy watchdog said.
The five deficiencies included lacking efficient detection measures in the IT system, not enabling the multi-factor authentication for remote access, insufficient security assessment and audits, lacking detailed IT security measures, and unnecessarily keeping personal data.
Releasing the investigation report on Tuesday, the Office of the Privacy Commissioner for Personal Data said Cyberport didn’t take practical steps to ensure the personal data was protected from unauthorised or accidental access and handling.
Cyberport also didn’t ensure that the time of storing the data wouldn’t exceed the actual time of personal data usage, and was therefore in breach of relevant personal data regulations.
The lack of efficient protocol made Cyberport vulnerable to hackers’ “violent” attacks against its IT system as well, allowing hackers to successfully obtain authentication to the managing account.
Commissioner Ada Chung Lai-ling said Cyberport is a sizable organization and regularly possesses and handles a significant amount of personal data. The public therefore has reasonable expectations that it will put in sufficient resources to protect its IT system and data safety, she added.
The office said it has sent an Enforcement Notice to Cyberport to fix relevant breaches and suggested it sets up a system to manage the personal data stored within its IT system.
The office also called on Cyberport to appoint a data protection officer to conduct risk assessment and delete certain data from time to time to prevent similar incidents from happening again.
Hours before the press conference by the office, Cyberport issued a statement saying its dedicated task force has concluded relevant investigation and reported to the board of directors.
The report has also been submitted to the office, Cyberport said.
“[S]oon after the incident occurrence, the task force was established to closely follow up on work, including swift enhancement of its defense against hacker attacks, implementation of multiple measures such as fortification of network protection barriers to strengthen capabilities of detecting network attacks and intrusions, leading to successful deterrence of subsequent cyber attacks,” it said.
It also said it proactively contacted affected individuals and provided them with complimentary credit and identity monitoring services to mitigate as many potential risks as possible.
It has also engaged professional third-party service providers to conduct regular network security monitoring and ethical hacking, and increased tools to monitor network security.





