HK Social Welfare Department apologises for leaking applicant names online

Hong Kong’s Social Welfare Department (SWD) has apologised for disclosing the names of 1,300 subsidy applicants online. The staff responsible for the data leak had been laid off, according to the department.  

According to its official statement, the SWD expressed “sincere apologies” after a contract staff member had improperly copied the English names of about 1 300 applicants for the "Special Care Subsidy Scheme for Persons with Severe Disabilities" to the Internet, without following the relevant guidelines. 

The service contract of the staff member concerned has been terminated, said the department. The SWD has also reminded staff to comply with the departmental guidelines and exercise due care in handling personal particulars related to members of the public. 
 
The SWD said the incident has been reported to the Office of the Privacy Commissioner for Personal Data. The SWD has written to the individuals affected by the incident and contacted them by phone to explain the incident.  

On the other hand, Hong Kong’s privacy watchdog has received a data breach notification from the Social Welfare Department on 4 January, reporting that about 1,300 data subjects had been affected.  

The PCPD noted that the relevant department had already notified all affected data subjects, and the PCPD has commenced a compliance check into the incident in accordance with established procedures. 

Having considered that the incident involved the leakage of personal data, the PCPD appeals to the affected persons to make enquiries or complaints with the PCPD or the relevant department if they suspect that their personal data have been leaked. As of 9 January, the PCPD has not received any enquiries or complaints regarding the incident. 

Don't miss: Cyberport reveals stolen data of staff and job applicants appear on dark web

This is not the first data leak incident caused by suspected human error. Back in September 2023, Hong Kong tech hub Cyberport revealed that some of the stolen personal data of its staff, former employees and job applicants have appeared on the dark web.

The data were disclosed after international hackers required a ransom of US$300,000 for the leaked 400 gigabytes of information. The hacker organisation, Trigona, also put up the data for bidding online.

Cyberport confirmed that the disclosed personal data include the names, contact details, human resources-related data and a small number of credit card records of existing staff, ex-employees and job applicants from Cyberport. A Cyberport board director said Eric Yeung said the leaked data was stored in a shared drive, in which the data was not supposed to carry sensitive information.

Related articles:

HK consumer watchdog reveals suspected data leak following 7-hour ransomware attack
ShopBack fined SG$74,400 after personal data leak affecting millions of customers