PCPD clears Companies Registry of privacy violations over 100,000-person data breach

There was no evidence that the leaked personal data were accessed without authorisation or by accident.

The Office of the Privacy Commissioner for Personal Data (PCPD) found no evidence that the "additional" personal data of over 100,000 individuals affected by a data breach in the Companies Registry was accessed without authorisation or by accident.

The data breach compromised HKID and passport numbers or addresses of 108,575 company directors. 

It also compromised the HKID or passport numbers of 217 disqualified persons, money lender applicants, and third-party appointees, as well as names, phone numbers, or emails of 210 money lender contacts.

The breach was discovered on 18 April 2024, during routine checks on the Integrated Companies Registry Information System, which found the e-Search Services of the “e-Services Portal” had transmitted additional personal data beyond the relevant search information.

The investigation revealed that nearly 90% of the personal data involved was available for inspection in the images of documents registered with the Registry.

However, PCPD said that the personal data concerned was not directly displayed on the search result pages, and searchers needed to open the web developer tool which was rarely used by general users.

The registry also notified all individuals who might have been affected by the Incident, immediately rectified the relevant system design, engaged an independent third party to conduct a comprehensive review of the relevant system, and took remedial actions to prevent the recurrence of similar incidents.

In addition, PCPD has commenced a compliance check against Deliveroo following its announcement to cease operations in Hong Kong, which may affect the personal data privacy rights of its customers and delivery riders.