Hong Kong government entities leak data, ordered to remove from public clouds

Recent Hong Kong government data leaks have caused an order for all government bureaus and departments to remove sensitive and personal information from public cloud servers and report to the Hong Kong Office of the Government Chief Information Officer (OGCIO) within one week.

The order came after two incidents:

1. The Hong Kong Electrical and Mechanical Services Department (EMSD) discovered a server containing personal information of approximately 17,000 citizens from the Covid-19 lockdown period between March and July 2022 was accessible without a password.
2. The Hong Kong Companies Registry revealed a separate data leak affecting around 110,000 individuals.

In the EMSD incident, the following data was exposed:

• Names
• Telephone numbers
• ID card numbers
• Addresses

EMSD requested the service provider to remove it immediately and reported the incident to the OGCIO, police, and the Security Bureau.

The Office of the Privacy Commissioner for Personal Data, led by Privacy Commissioner Ada Chung Lai-ling, is investigating whether the breach occurred in 2022 or more recently.

The Companies Registry leak involved:

• Names
• Passport and ID card numbers
• Addresses
• Contact numbers
• Email addresses

The registry announced urgent maintenance was necessary on April 19 after detecting a risk of personal data leakage in its e-Search Services platform. An investigation revealed that additional personal information of company directors could be obtained through web developer tools or robotic searches.