Out-Law News 1 min. read
03 Mar 2022, 6:05 am
A hotel and an online retailer in the Hong Kong Special Administrative Region (HKSAR) have recently suffered a data breach of their IT systems, which affected information they held on over 1.2 million customers.
According to statement by the Office of the Privacy Commissioner for Personal Data (PCPD) in HKSAR, Harbour Plaza Hotel Management Limited (Harbour Plaza) had over 1.2 million customers’ data accessed in a cybersecurity attack in early February. Accordingly, the PCPD started its investigation and requested Harbour Plaza to provide more information in relation to the incident, including the details of the incident and the types of personal data involved.
Jennifer Wu, a Hong Kong-based technology expert at Pinsent Masons said: “It is critical for companies to understand about their data infrastructure before these cyber-attacks. Whilst third party forensic experts can help to investigate the incident, lawyers are also required to manage the consequences faced by companies as a result of the non-compliance with the applicable data protection legislation.”
Earlier in the month, Hong Kong Technology Venture Company Limited (HKTV) confirmed suspicious online activities in its computer systems were detected in late January, involving unauthorised access to “a small portion” of the data held by its online retail platform HKTVmall on 4.38 million registered customers.
It is key for companies to be cyber ready and to engage in incident planning if it has not done so already.
Data accessed might include account registered names, encrypted login passwords, registered and contact email addresses; recipient names, delivery addresses and the contact numbers of those who bought products during December 2014 to September 2018, according to a statement by HKTV. The unauthorised access might also include registered information in relation to Facebook accounts or Apple IDs of customers who have linked these to their HKTVmall accounts.
HKTV said it had reported the incident to the PCPD and would use ”endpoint detection and response” solutions to monitor, identify, investigate suspicious activities via artificial intelligence (AI). It also intends to obtain the Centre for Internet Security’s level one benchmark of cyber security best practice to reduce the risk of future attacks; and to reduce the volume of data it collects on its customers.
“Cyber-attacks can have significant impact to a business and its reputation. It is key for companies to be cyber ready and to engage in incident planning if it has not done so already,” Wu said.
06 Jan 2021
26 Feb 2020