Hong Kong fire service reports potential leak of personal data of 5,000 staff, members of public
- It is third online security incident concerning government departments revealed in a week
- Latest incident occurred on Friday when an outsourced contractor handled data migration procedure, Fire Services Department says
Hong Kong’s fire service has reported a potential data leak related to an unauthorised change of access rights to personal information of more than 5,000 residents and staff, the third online security incident concerning government departments revealed in a week.
The Fire Services Department (FSD) said the incident was spotted on Friday and occurred when an outsourced contractor handled a data migration procedure.
“During the process, the access right of the data was found altered without authorisation, posing a potential risk of data leakage,” the department said in a statement on Monday evening.
“There is no evidence that relevant data have been released.”
It offered “sincere apologies” over the incident.
In the fire service case, the data included the surnames and telephone numbers of around 480 members of the public who had reported tree collapse incidents when Super Typhoon Saola struck on September 2 last year.
Personal information of about 5,000 fire service staff, including names, telephone numbers, ranks and numbers, and their postings, was also at risk of leaks.
The department added that 960 incomplete identity card numbers of staff were also involved.
It said it had notified affected members of the public through messages or phone calls.
The outsourced contractor, whose name was not disclosed in the statement, was immediately stripped of access rights to the system. The department was also ordered to suspend the system operation and all of its contract jobs.
The department said it and the contractor were “conducting a comprehensive review of the incident and stepping up the protective measures to prevent similar incidents”.
The department said it had reported the incident to police, the Security Bureau, the Office of the Government Chief Information Officer and the Office of the Privacy Commissioner for Personal Data, the privacy watchdog.
Michael Gazeley, founder of Hong Kong cybersecurity firm Network Box, said the unauthorised change of access was “quite a disturbing comment”.
“Because in that case, if there was private data being handed over, then obviously that data should have been supervised,” he said. “If a contractor really did just change access rights, why was it not supervised?”
We just can’t allow this to carry on
Despite there not being enough details provided so far for a firm comment on the cause of the incident, the cybersecurity expert said that with some foresight it should have been preventable.
Gazeley said there were several key factors in the recent spate of cybersecurity issues involving different government bodies and the private sector in the past few weeks.
“Some are apparently due to human error and lack of effective supervision; some are due to vulnerabilities in the victim’s cybersecurity systems; and some are due to third-party devices or software being added to an organisation’s networks without the needed security in place,” he said.
“We just can’t allow this to carry on.”
He said significant changes had to be made in how cyberattacks and also cybersecurity were handled.
The fire service case was the latest of a recent string of data security incidents at major public bodies
