DataBreaches.Net

Menu
  • About
  • Breach Notification Laws
  • Privacy Policy
  • Transparency Report
Menu

Hong Kong Privacy Commissioner’s Office Publishes Investigation Findings on the Electrical and Mechanical Services Department Data Breach

Posted on December 10, 2024December 10, 2024 by Dissent

December 9 enforcement action by the Privacy Commission of Hong Kong:

Data Breach Incident of the Electrical and Mechanical Services Department (EMSD)

The investigation arose from a data breach notification submitted by the EMSD to the PCPD on 1 May 2024, reporting its suspicion that the personal data of members of the public in its possession was leaked. The data breach involved the personal data of persons who had undergone testing in the “restriction-testing declaration” (RTD) operations conducted in 2022 (the Incident).

Background

The EMSD conducted a total of 14 RTD operations between March and July 2022 to carry out COVID-19 tests for the residents or visitors in 14 buildings (see Annex 1). To collect the data of persons who were subject to testing in the RTD operations, the EMSD procured and used the services of an e-Form Platform (the e-Form Platform) associated with the cloud platform ArcGIS Online and created 14 e-forms. The relevant e-forms and data were stored in the data repository of ArcGIS Online.

In late 2022, when the EMSD noted that the RTD operations had come to an end, it immediately notified the contractor not to renew the service contract after its expiry in late February 2023. According to the EMSD, the EMSD considered that the e-Form Platform account would be invalidated upon expiry of the contract, and the relevant information would be automatically deleted by the contractor. It was not until its receipt of the PCPD’s notification on 30 April 2024 that the EMSD learned that the personal data of persons who had undergone testing in the RTD operations could be browsed by anyone at the relevant website of ArcGIS Online without logging into any account or password. The EMSD hence immediately requested the contractor to remove the personal data involved from the e-Form Platform on the same day, so that the public could no longer browse the relevant information. The EMSD also submitted a data breach notification to the PCPD on the next day.

The Incident affected the personal data of over 17,000 persons. The personal data involved included names, addresses, Hong Kong Identity Card (HKID card) numbers, telephone numbers, ages, genders, whether the persons were vaccinated, whether they were tested positive in PCR tests and the respective dates.

Read  “Investigation Findings: Data Breach Incident of the Electrical and Mechanical Services Department”:
https://www.pcpd.org.hk/english/enforcement/commissioners_findings/files/r24_06502_e.pdf

Source: Privacy Commissioner of Hong Kong

Category: ExposureGovernment SectorHealth DataNon-U.S.Subcontractor

Post navigation

← HHS OCR settles charges that Inmediata Health Group exposed 1.6 million patients’ PHI online
Hackers take a bite out of Krispy Kreme →

Now more than ever

"Stand with Ukraine:" above raised hands. The illustration is in blue and yellow, the colors of Ukraine's flag.

Search

Browse by Categories

Recent Posts

  • Comstar LLC agrees to corrective action plan and fine to settle HHS OCR charges
  • Australian ransomware victims now must tell the government if they pay up
  • U.S. Sanctions Cloud Provider ‘Funnull’ as Top Source of ‘Pig Butchering’ Scams
  • Victoria’s Secret takes down website after security incident
  • U.S. Government Employee Arrested for Attempting to Provide Classified Information to Foreign Government
  • St. Cloud Provides Update on Ransomware Attack in 2024
  • Bradford Health Systems detected abnormal network activity in December 2023. They first sent out breach notices this week.
  • Websites selling hacking tools to cybercriminals seized
  • ConnectWise suspects cyberattack affecting some ScreenConnect customers was state-sponsored
  • Possible ransomware attack disrupts Maine and New Hampshire Covenant Health locations

No, You Can’t Buy a Post or an Interview

This site does not accept sponsored posts or link-back arrangements. Inquiries about either are ignored.

And despite what some trolls may try to claim: DataBreaches has never accepted even one dime to interview or report on anyone. Nor will DataBreaches ever pay anyone for data or to interview them.

Want to Get Our RSS Feed?

Grab it here:

https://databreaches.net/feed/

RSS Recent Posts on PogoWasRight.org

  • Why AI May Be Listening In on Your Next Doctor’s Appointment
  • Watch out for activist judges trying to deprive us of our rights to safe reproductive healthcare
  • Nebraska Bans Minor Social Media Accounts Without Parental Consent
  • Trump Taps Palantir to Compile Data on Americans
  • The US Is Storing Migrant Children’s DNA in a Criminal Database
  • Home Pregnancy Test Company Wins Dismissal of Pixel Wiretapping Suit
  • The CCPA emerges as a new legal battleground for web tracking litigation

Have a News Tip?

Email: Tips[at]DataBreaches.net

Signal: +1 516-776-7756

Contact Me

Email: info[at]databreaches.net

Mastodon: Infosec.Exchange/@PogoWasRight

Signal: +1 516-776-7756

DMCA Concern: dmca[at]databreaches.net
© 2009 – 2025 DataBreaches.net and DataBreaches LLC. All rights reserved.