Personal data of 110,000 people leaked after breach at Hong Kong’s Companies Registry, investigation finds – Technologist
An investigation into Hong Kong’s Companies Registry has revealed the online portal leaked personal data of 110,000 people, including names, passport and identity card numbers and residential addresses.
It was the third reported public body security breach in a week, and accountancy sector lawmaker Edmund Wong Chun-sek called it “truly a serious mistake”.
The registry said telephone numbers and email addresses were also disclosed, and it had started notifying victims with explanations and apologies.
“The Companies Registry is very concerned about the risk of personal data leakage,” a spokesman said.
“It is consulting the Office of the Privacy Commissioner for Personal Data and the Office of the Government Chief Information Officer, with a view to conducting a comprehensive review of the incident.”
The registry spokesman added that its contractor’s system design provided the client with not only search-related information but also additional personal information.
“Although such additional personal data would not be displayed on the search result pages, it could be obtained using a web developer tool on the said pages,” he said, adding that some personal data could also be obtained via a “robotic search”.
The registry announced on April 19 that it would suspend access to its online portal for urgent maintenance, saying risks of personal data leakage had been identified.
At the time, the registry said it had not received any personal data leakage report following a preliminary investigation.
The Office of the Privacy Commissioner for Personal Data said that considering the vast scope of people affected, it had immediately commenced an investigation.
As of Friday, the watchdog had not received any inquiries or complaints regarding the incident, a spokesman added.
He also urged those affected to change the passwords of their online accounts and activate multi-factor authentication function if possible, watch out for unusual logins and review bank statements for any unauthorised transactions.
Lawmaker Wong has also called on the registry to comprehensively review all existing systems and eliminate all possible loopholes.
The breach at the registry followed an announcement a day ago by the privacy watchdog that it would investigate a security failure of the Electrical and Mechanical Services Department.
Data was collected by the department during “restriction-testing declaration” operations between March and July of 2022.
The office said hackers managed to obtain access to an administrator account belonging to the council’s IT staff on September 4 last year, and used the account to carry out various malicious activities weeks later while trying to force the watchdog to pay a ransom of US$500,000.
Lawmaker Elizabeth Quat, the chairwoman of the Legislative Council’s information technology and broadcasting panel, said the back-to-back occurrences revealed serious issues with cybersecurity within government departments.
She also urged authorities to conduct security breach drills to boost awareness and response capabilities among the civil service.