HK privacy watchdog opens probe into Oxfam HK's data breach

The Hong Kong privacy watchdog has launched an investigation into a data breach at Oxfam Hong Kong (OHK) that potentially affected 470,000 individuals. 

According to its official statement released on Wednesday, the Office of the Privacy Commissioner for Personal Data (PCPD) said it received a notification about a data breach incident from Oxfam Hong Kong (OHK).

“According to the latest information provided by OHK, it is currently unable to determine the exact number of individuals affected by the incident. However, it has notified over 470,000 potentially affected individuals,” the statement reads. 

The personal data involved may include names, addresses, email addresses, mobile phone numbers, HKID card numbers, and payment details. 

This comes after OHK discovered on 10 July morning that it had experienced a cyberattack incident affecting certain of its systems, including the Oxfam TrailWalker (樂施會毅行者) system. It reported the incident to the police, the PCPD, and the Hong Kong Computer Emergency Response Coordination Centre (香港電腦保安事故協調中心).

In a statement to MARKETING-INTERACTIVE, Oxfam said it is 

In a statement to MARKETING-INTERACTIVE, OHK said: “We are actively working with our cybersecurity experts to investigate into whether the Incident had resulted in any unauthorised disclosure of personal data that we hold, and the extent of any such disclosure. We will take the necessary and appropriate steps as and when we have further information."

OHK added that it has notified the potentially affected individuals and advised them to consider taking data security protection measures.

On the other hand, the PCPD is investigating a data breach at ImagineX Group, after receiving the company's notification on 31 May. According to the further information provided by  ImagineX Group, the breach has potentially affected over 126k members and employees, including around 100k ICARD members of the company and 27k Brooks Brothers members.

The personal data involved may include names, email addresses, phone numbers, passport numbers/copies, dates of birth, gender, nationality, and photos. The ImagineX Group has notified all affected individuals about the incident, according to the press statement.

Don't miss: HK privacy watchdog mulls penalty mechanism for institutions’ data breaches

Back in July, the PCPD said it was considering introducing an administrative penalty mechanism to punish institutions for privacy breaches.

Speaking on i-CABLE’s programme Let's Talk (有理有得傾), Ada Chung, the privacy commissioner for personal data, said there is a lack of security awareness among institutions when it comes to protecting personal data. The PCPD is studying amendments to the legislation that will allow it to directly penalise non-compliant institutions, thereby increasing the deterrent effect.

Related articles:

HK privacy watchdog mulls penalty mechanism for institutions’ data breaches
HK privacy watchdog releases first set of AI data protection guidelines
HK privacy watchdog orders crypto project Worldcoin to cease operations