Hong Kong: Issued PCPD ruling following investigation into Cyberport's data breach incident

On 2 April 2024, the Privacy Commission for Personal Data (PCPD) ruled in an investigation into a data breach incident at Cyberport caused by a ransomware attack. This breach compromised the personal information of over 13'000 individuals, including unsuccessful job applicants and former employees. Cyberport's deficiencies included inadequate detection measures, failure to implement multi-factor authentication, insufficient security audits, vague information security policies, and unnecessary retention of personal data. The PCPD concluded that Cyberport failed to adequately protect personal data, violating the Personal Data (Privacy) Ordinance. An enforcement notice was issued to Cyberport to rectify the breaches and prevent recurrence. Furthermore, the PCPD issued a set of recommendations to other organisations which process data digitally. These include establishing a programme for managing personal data privacy and appointing data protection officers, developing a strong cybersecurity framework, conducting regular risk assessments and security audits of information systems, fostering a corporate culture that prioritises information security, and ensuring prompt deletion of personal data when it is no longer needed.