December 9 enforcement action by the Privacy Commission of Hong Kong:
Data Breach Incident of the Electrical and Mechanical Services Department (EMSD)
The investigation arose from a data breach notification submitted by the EMSD to the PCPD on 1 May 2024, reporting its suspicion that the personal data of members of the public in its possession was leaked. The data breach involved the personal data of persons who had undergone testing in the “restriction-testing declaration” (RTD) operations conducted in 2022 (the Incident).
Background
The EMSD conducted a total of 14 RTD operations between March and July 2022 to carry out COVID-19 tests for the residents or visitors in 14 buildings (see Annex 1). To collect the data of persons who were subject to testing in the RTD operations, the EMSD procured and used the services of an e-Form Platform (the e-Form Platform) associated with the cloud platform ArcGIS Online and created 14 e-forms. The relevant e-forms and data were stored in the data repository of ArcGIS Online.
In late 2022, when the EMSD noted that the RTD operations had come to an end, it immediately notified the contractor not to renew the service contract after its expiry in late February 2023. According to the EMSD, the EMSD considered that the e-Form Platform account would be invalidated upon expiry of the contract, and the relevant information would be automatically deleted by the contractor. It was not until its receipt of the PCPD’s notification on 30 April 2024 that the EMSD learned that the personal data of persons who had undergone testing in the RTD operations could be browsed by anyone at the relevant website of ArcGIS Online without logging into any account or password. The EMSD hence immediately requested the contractor to remove the personal data involved from the e-Form Platform on the same day, so that the public could no longer browse the relevant information. The EMSD also submitted a data breach notification to the PCPD on the next day.
The Incident affected the personal data of over 17,000 persons. The personal data involved included names, addresses, Hong Kong Identity Card (HKID card) numbers, telephone numbers, ages, genders, whether the persons were vaccinated, whether they were tested positive in PCR tests and the respective dates.
Read “Investigation Findings: Data Breach Incident of the Electrical and Mechanical Services Department”:
https://www.pcpd.org.hk/english/enforcement/commissioners_findings/files/r24_06502_e.pdf
Source: Privacy Commissioner of Hong Kong