Read More
The Companies Registry did not violate privacy regulations despite that personal data of more than 100,000 individuals might have been affected in a data breach, according to an investigation by the Office of the Privacy Commissioner for Personal Data (PCPD).
ADVERTISEMENT
SCROLL TO CONTINUE WITH CONTENT
The privacy watchdog said on Wednesday that there is no evidence that the leaked data, including identity card numbers, passport numbers and addresses, was improperly accessed.
The breach was reported by the Companies Registry on April 19, 2024, after it identified a risk of personal data leakage in the e-Search Services of its e-Services Portal, following a system revamp launched in late 2023.
During routine checks on April 18, 2024, the Registry discovered that the e-Search Services were transmitting additional personal data to users’ computers beyond the intended search results.
Although the exposed data was not visible on the search result pages, users could access it using the web developer tool -- a feature rarely used by the general public -- or through robotic search methods.
The PCPD concluded its investigation on Wednesday, attributing the breach to the use of common modules in the system’s design, which inadvertently included excessive data fields.
“The PCPD has advised the registry to conduct regular and thorough reviews of systems containing personal data to ensure they are free from design and security vulnerabilities,” the report stated.
A total of 109,002 individuals may have been affected, including 108,575 company directors whose HKID card numbers, passport numbers, and residential addresses were exposed.
The breach also compromised the HKID card numbers and passport numbers of 217 disqualified persons, money lender applicants, and third parties appointed by licensed money lenders, as well as the names, phone numbers, and email addresses of 210 money lender contacts.
The PCPD noted that the Companies Registry had implemented several security measures during the system’s revamp, including contractual requirements for the contractor to adhere to privacy-sensitive design standards and government guidelines.
Given these measures and the lack of evidence of unauthorized access, the PCPD found insufficient grounds to conclude that the Companies Registry had failed to take all practicable steps to safeguard personal data, as required under the Personal Data (Privacy) Ordinance.
The PCPD has also initiated a compliance check against Deliveroo following the food delivery platform’s announcement to cease operations in Hong Kong.
(Ayra Wang)
SINGTAO
