Privacy watchdog clears registry in data breach

Ayra Wang

The Office of the Privacy Commissioner for Personal Data determined yesterday that the Companies Registry did not violate privacy regulations during a breach that compromised the data of more than 100,000 individuals, having found no evidence that the leaked data was improperly accessed.

The registry reported the breach on April 19 last year after it identified a risk of data leakage in the e-Search Services of its e-Services Portal, following a system revamp launched in late 2023.During routine checks the day before, it found its e-Search Services transmitting information to users' computers beyond the intended search results. Users could access the extra data via web developer tools or robotic search methods.

PCPD attributed the breach to the use of common modules in the system's design that inadvertently included excess data fields.

A total of 109,002 individuals may have been affected, including 108,575 company directors whose HKID card numbers, passport numbers, and residential addresses were exposed. The breach also affected 217 disqualified persons, money lender applicants, and third parties appointed by licensed money lenders as well as 210 money lender contacts.

PCPD also noted that the registry implemented several security measures during the system's revamp, including mandates on contractors to adhere to privacy-sensitive design standards and government guidelines. It ultimately found insufficient grounds to claim the registry did not take all viable steps to safeguard personal data as required under the Personal Data (Privacy) Ordinance.