Hong Kong’s privacy watchdog will investigate a “serious” data leak involving the personal information of 17,000 residents collected during the Covid-19 pandemic that resulted from an error in a government department’s password login system.
Privacy Commissioner for Personal Data Ada Chung Lai-ling on Friday also urged the Electrical and Mechanical Services Department to notify all affected individuals, hours after the latter issued an apology over the incident.
The system security failure led to the exposure of personal information, such as names, telephone numbers, identity card numbers and addresses, collected during “restriction-testing declaration” operations between March and July of 2022.
Authorities conducted such operations at the height of the pandemic as part of testing orders that locked down buildings until all occupants had been tested for the virus.
“We think the situation is serious. We will follow our procedures and commence an investigation,” Chung told a radio programme.
“We have suggested the department notify affected individuals as there are relatively more people affected.”
The leak consisted of data from residents living at 14 public housing blocks subject to restriction-testing declaration operations. Those affected included tenants at Yan Ching House in Kai Ching Estate, Oi Ming House in Yau Oi Estate and Kwong Wai House in Kwong Fuk Estate.
The department said on Thursday that the watchdog had notified it after receiving a public report that data stored on a designated online server supposed to be restricted to authorised personnel was accessible without a password login.
“The Electrical and Mechanical Services Department immediately checked and found that the password login system had failed. The data could be browsed without entering any password but they were not downloadable,” it said, adding the data had been removed.
“The (department) expresses its sincere apologies for the incident.”
The case had been reported to police, the Office of the Government Chief Information Officer and the Security Bureau, it said.
The department said there was currently no evidence to suggest the data had been published elsewhere, adding it would notify the relevant households. – South China Morning Post