The leak would be less of a concern if it was an isolated case. But this was the third time in a week a public body had hit the headlines because of a data security breach, following a string of similar cases in recent months.

Last week, the Office of the Privacy Commissioner for Personal Data announced it was investigating the leaking of the personal data of 17,000 residents collected by the Electrical and Mechanical Services Department during the pandemic in 2022. There had been a failure in the department’s password login system.

Breach at Hong Kong’s Companies Registry leaves 110,000 people’s data exposed

The watchdog also revealed the Consumer Council breached privacy rules when the personal information of more than 470 people was leaked in a cybersecurity attack. Hackers gained access to an administrator account in September and carried out malicious activities while trying to force the council to pay a US$500,000 ransom.

Meanwhile, Cyberport, the government-funded tech hub, has been ordered to make substantial improvements to its system and procedures after hackers gained access in August and stole the personal data of 13,000 staff and jobseekers. An investigation by the privacy watchdog found Cyberport to have “failed to implement sufficient and effective measures” to safeguard data security. It breached two privacy law principles by not keeping information secure and keeping data years after the period permitted by its policies.

The sorry list of the city’s data leaks also includes Hongkong Post, the Social Welfare Department, the Hong Kong Ballet and online market Carousell.

Hong Kong is not alone in facing the challenge of resisting increasingly sophisticated cyberattacks. There is a rising trend around the world, from phishing to ransomware. But the spate of scandals has exposed the shocking vulnerability of the city’s defences. Lessons have not been learned. There was a 50 per cent rise in reports of data breaches last year – 157 compared to 105 in 2022 – with 64 reports of hacking. The higher number of reports is likely to be partly due to increased awareness of the risks. But the danger is clear and present.

A study revealed in November that 73 per cent of companies polled had suffered cybersecurity attacks in the past year. Worryingly, the survey showed preparedness to have declined and staff awareness to be low.

The privacy watchdog has launched a thematic website which includes a self-assessment tool for businesses to test the adequacy of their data security measures. It has also set up a data security hotline. But much more needs to be done. Government departments are leaking like a sieve.

Hong Kong privacy watchdog to grill authorities over leak of 17,000 people’s data

A comprehensive and concerted effort is required to get the city’s public and private sectors up to speed. Data must be securely stored, systems regularly reviewed and updated and staff adequately trained. More resources will be needed. Data users, meanwhile, need to be more aware of the risks when supplying personal details or allowing them to be accessed.

Providing our personal details is part of modern life. But we expect them to be held securely. The city’s personal data defences are clearly inadequate and in urgent need of strengthening.