Photo firm and med group under fire for data breach

Photofinishing chain Fotomax was criticized for ignoring warnings from a firewall software company and leaking the personal data of some 540,000 members and 74,000 customers a year ago.

The Office of the Privacy Commissioner for Personal Data has issued a warning to the company, saying it has violated the Personal Data Ordinance and has to make rectifications within three months.

The privacy watchdog conducted an investigation after Fotomax lodged a data breach notification on November 1 last year, saying the database of its online store had been attacked by ransomware and maliciously encrypted the previous week.

Alongside over 540,000 members, the personal information of 74,000 online customers between November 16, 2020 and October 26, 2021 was leaked.

The watchdog later found that Fotomax had installed a firewall software in March 2018 before installing a secure sockets layer virtual private network a year later to allow its staff to remotely access the system.

Despite the firewall manufacturer warning its users that the SSL VPN may be susceptible to hackers, Fotomax did not take any data security measures until the attack.

Privacy commissioner Ada Chung Lai-ling said Fotomax "had serious deficiencies in risk awareness and personal data security measures."

Acting chief personal data officer Brad Kwok Ching-hei said the privacy watchdog has not yet received complaints regarding the Fotomax data breach incident.

A medical group was also slammed for sharing its customers' personal data without their consent to 28 other brands owned by the company.

After receiving two complaints, it was found that 28 of 39 brands under EC Healthcare - including Primecare and Dr Reborn - had adopted an integrated internal database with the personal information of around one million members.

In one of the cases, the complainant's daughter had consulted a Primecare clinic in 2018 and used her grandmother's contact number. Two years later, after Primecare was acquired by EC Healthcare in 2019, the grandmother, a customer of Dr Reborn, received a text message with her granddaughter's name.

"Such practices were disappointing both from the perspective of compliance with legal requirements or that of respecting clients' wills," Chung said.

A privacy enforcement notice has been served on EC Healthcare which requires the company to cease the sharing of customer data without consent.

eunice.lam@singtaonewscorp.com