Read More
Personal data of more than 127,000 customers was affected in a breach at fashion brand management company ImagineX Group, the Office of the Privacy Commissioner for Personal Data said while ruling the company in violation of Personal Data (Privacy) Ordinance.
ADVERTISEMENT
SCROLL TO CONTINUE WITH CONTENT
Members of several international brands’ loyalty programs managed by the company, such as Brooks Brothers and Paul Smith, were affected by the incident.
The city’s privacy watchdog revealed on Monday that the incident occurred last year when hackers stole and threatened to sell data containing personal information of 127,268 individuals, including names, email addresses, phone numbers and passport copiesm, which included 100,185 ICARD members, 27,069 Brooks Brothers members, and 14 current and former employees of ImagineX.
ICARD program covered six brands in Hong Kong and Macau at the time of date breach, namely Paul Smith, Club Monaco, Apivita, Isabel Marant, Natura Bisss and Sacai.
Imagine X clarified on Tuesday that some ICARD members may be affected by this incident and the company has notified all the affected members and employees of the incident.
Investigators determined the breach stemmed from human oversight and inadequate security measures.
Privacy Commissioner for Personal Data Ada Chung Lai-ling said the breach resulted from ImagineX's failure to delete inactive accounts and update outdated systems.
“If ImagineX had timely deleted the account and decommissioned the end-of-support operating system before the incident, the incident could likely have been avoided.,” Chung said.
The commissioner ruled that ImagineX failed to take all practicable steps to protect personal data from unauthorized access or accidental exposure, constituting a violation of the Personal Data (Privacy) Ordinance.
PCPD has issued an enforcement notice requiring the company to implement corrective measures and prevent future violations. Separately, the PCPD released guidelines for workplace use of generative AI.
According to the Checklist on Guidelines for the Use of Generative AI by Employees, companies must specify permitted tools, both public and internal, define acceptable uses like document drafting, and clarify what data can be input.
Employees must verify AI outputs for accuracy, while companies must prohibit illegal uses and establish consequences for violations.
(Ayra Wang)
SINGTAO
