HK privacy watchdog warns URA over data leak of 199 tenants and owners

Hong Kong’s privacy watchdog has issued a warning letter to the Urban Renewal Authority (URA) for failing to prevent a leak of the personal data of 199 tenants and owners stored on a cloud platform.

Recently, the Office of the Privacy Commissioner for Personal Data (PCPD) has released its investigation report on the data leak incident that the URA initially reported on 13 May 2024. The report highlighted that the personal data of members of the public stored on a URA cloud platform could be accessed by any person without inputting any account or password.

The URA used the e-form platform associated with the cloud platform ArcGIS Online to create two e-forms for briefing sessions on property acquisition under the Nga Tsin Wai Road / Carpenter Road Development Scheme. These e-forms were launched on 2 May 2024 for owners, tenants, and shop operators to register.

After being notified by the police on 3 May 2024, about a potential data leak from the e-forms, the URA promptly stopped using the ArcGIS Online cloud platform and deleted the stored personal data. They later discovered that anyone could access the personal information of those who registered for the briefing sessions without needing to log in.

The incident affected the personal data of 199 owners and tenants who had replied to attend the briefing sessions. The affected personal data included telephone numbers, names of the contact persons and the details of their ownership or their correspondence addresses.

In response to the incident, the URA collaborated with the contractor of the e-Form platform to investigate and found that there were different software versions. The new version, available since July 2022, had different default settings for data-sharing, requiring extra configurations for data access without login. However, the URA had used an older version, which did not implement these enhanced data protection settings for the e-forms.

Meanwhile, the URA confirmed that its staff lacked sufficient knowledge of the e-form platform versions, resulting in an inadequate review of data sharing settings and a lack of security testing during e-form testing. It agreed that if the latest version had been used, the incident would not have occurred. 

In the course of the investigation, the PCPD has conducted five rounds of enquiries with the URA and approached the contractor twice to obtain relevant information regarding the incident. Having considered the circumstances of the incident and the information obtained during the investigation, privacy commissioner Ada Chung identified two key deficiencies in the URA that contributed to the incident. Firstly, the URA did not update the software promptly to ensure it was using the latest version. It did not take steps to verify whether the e-form platform software was current and failed to implement necessary updates.

Secondly, the URA lacked understanding of the software used to collect personal data, and failed to develop and conduct effective and comprehensive security tests for the use of the software. This resulted in the omission of some key functions in the security check of the forms. In the end, the URA couldn't timely detect that data was open to public access, which eventually led to the occurrence of the incident.

Based on the above, the privacy commissioner found that the URA had not taken all practicable steps to ensure that the personal data involved was protected against unauthorised or accidental access, processing, erasure, loss or use, thereby contravening Data Protection Principle (DPP) 4(1) of the Personal Data (Privacy) Ordinance concerning the security of personal data.

The privacy commissioner has served a warning letter on the URA, requesting it to take measures to enhance the protection of the personal data held by it in order to prevent recurrence of similar contraventions in future.

Don't miss: HK privacy watchdog slams EMSD over data leak involving 17,000 residents

In response, the URA said in a statement that it has implemented a series of measures to strengthen the protection of personal data, such as reviewing the work guidelines, re-evaluating and optimising the work flow of handling personal data; appointing an audit firm to conduct a comprehensive information security audit; and strengthen training and security awareness on handling data security and personal data for departments and all technical staff.

Related articles:

HK privacy watchdog slams EMSD over data leak involving 17,000 residents
HK privacy watchdog opens probe into Oxfam HK's data breach
HK privacy watchdog mulls penalty mechanism for institutions’ data breaches