The Office of the Privacy Commissioner for Personal Data (PCPD) has disclosed eight cases of data security incidents involving various entities, including government departments, healthcare institutions, airlines, and travel agencies.
The majority of the cases were attributed to staff negligence, resulting in the disclosure, inspection, handling, or use of customers' personal information without their consent.
In one case, staff from the Transport Department failed to follow procedures to fold the letter, exposing citizens' ID numbers, case references, and letter headings through the envelope window.
After intervention from PCPD, the department reinforced staff training, issued visual guides for proper letter handling, and adjusted the placement of case numbers to prevent future leaks.
In another case, a medical service provider accidentally disclosed the personal details of over 100 patients to other respondents due to misconfigured settings in an online registration form.
Once the situation was disclosed, the organization disabled the form link and removed the form immediately, and ensured stricter controls would be made for future digital forms.
The Privacy Commissioner for Personal Data, Ada Chung Lai-ling, stated that although most incidents are isolated, they are often caused by careless mistakes and negligence on the part of staff.
She urged organizations to reinforce staff awareness of data protection and cultivate proper working habits, such as incorporating personal privacy protection as part of the organization's core values, providing clear and easily understood working instructions, and implementing a comprehensive contingency plan for information leakage.
Separately, following the cyberattack on Australian airline Qantas last Monday (June 30), which involved the personal data of around 6 million passengers, the city's privacy watchdog reported receiving some inquiries.
According to the airline, the hacker targeted one of its customer contact centers, gaining access to customer records, including names, birthdates, email addresses, and phone numbers through a third-party computer system.
However, Qantas emphasized that customer credit card details, passport numbers, frequent flyer accounts, and passwords remain secure, ensuring that neither operations nor security were impacted.
As the airline did not specify whether any Hong Kong customers were affected, Chung Lai-ling noted that PCPD received inquiries from concerned citizens.
The office has reached out to the airline for more information regarding the involvement of Hong Kong consumers, including the number of affected individuals and the specific data compromised.
The privacy watchdog is currently awaiting a response.
