It was discovered that a specific online server platform storing citizens' personal data of the Electrical and Mechanical Services Department (EMSD) could be accessed without entering a password, potentially leading to data leakage of over 17,000 individuals who underwent "Restriction-testing Declaration" Operations during the pandemic.
The Office of the Privacy Commissioner for Personal Data ruled today (Dec. 9) that the EMSD violated the relevant provisions of the Personal Data (Privacy) Ordinance and ordered it to take measures. In response, the EMSD stated that it will carefully review its contents and take serious follow-up action as appropriate.
The EMSD emphasized that regarding the online server platform services involved in the "Restriction-testing Declaration" Operations, the procurement terms with the contractor stipulated that the contractor would delete the relevant data after the service period ended. Upon learning of the data breach, the EMSD maintained a proactive and responsible attitude, reported the case to law enforcement, cooperated with the investigation, and promptly contacted the contractor to know about the operation of the server platform to ensure that the data had been completely removed.
Related News:
EMSD leaks data of 17,000 tested individuals, falling short of public expectations
Comment