Oxfam under fire as privacy chief rues data fraud jump

Stacy Shi

The Office of the Privacy Commissioner for Personal Data received 18,125 inquiries last year, including 1,158 suspected data fraud cases, with the latter a 46 percent increase from 793 in 2023.

There were also 203 data breach notifications, with 67 from public organizations and 136 from the private sector - with the total up nearly 30 percent over the 157 notifications received in 2023.

These breaches were attributed to various issues, including hacking, loss of documents or portable devices, accidental disclosures of personal information via email, mail, or fax, and system errors.

In contrast, the number of complaints saw a slight reduction of 4 percent, from 3,583 in 2023 to 3,431.

An investigation also revealed that the Hong Kong branch of the international charity Oxfam failed to implement adequate measures to protect its information systems, leading to the leak of personal information belonging to 550,000 individuals in July.

The breach involved unauthorized access to 37 servers and 24 computers, resulting in the loss of 330 gigabytes of sensitive data.

Privacy Commissioner Ada Chung Lai-ling said the primary causes of the breach included vulnerabilities due to outdated firewalls and a lack of multifactor authentication.

"It is regrettable that a large-scale organization, which holds a significant amount of data, has failed to take effective measures to safeguard the security of its information system and to promptly delete personal information that has exceeded the retention period," she said.

Her office has issued an enforcement notice to Oxfam, demanding it address these irregularities and implement measures to prevent a recurrence.

In response, Oxfam said it attaches great importance to the breach and is implementing measures as directed by Chung - and will submit an implementation report within two months.