Hong Kong’s fire department has discovered a computer system breach that exposed the personal data of over 5,000 department personnel and hundreds of residents, marking the third data security incident involving the government in less than a week.
The Fire Services Department (FSD) said in a statement on Monday evening that there was no evidence that the breach, caused by an unauthorised alteration of access rights during a data migration procedure by an outsourced contractor, led to the data being “released.”
The data included the surnames and telephone numbers of approximately 480 people who had reported tree collapse incidents during the Super Typhoon Saola last September.
The personal information of around 5,000 FSD staff – including their names, telephone numbers and ranks – were also at risk. Among the staff, 960 personnel saw their incomplete identity card numbers involved in the breach.
System suspended
The fire department said the system had been suspended and that it and the contractor was investigating the incident.
“The FSD has instantly contacted the outsourced contractor responsible for the system, and requested immediate suspension of the system and all of its contract jobs. The contractor’s access right to the system is withdrawn to prevent data leakage,” the statement read.
Along with the contractor, the department is conducting a review and stepping up protective measures to prevent similar incidents. It has also reported the incident to the Police, the Security Bureau, the Office of the Privacy Commissioner for Personal Data and the Office of the Government Chief Information Officer.
The FSD’s data breach follows similar incidents last week in which the Electrical and Mechanical Services Department (EMSD) and the Companies Registry reported that data stored on their servers had been compromised.
In response to the two incidents, lawmaker Elizabeth Quat on Monday urged the government to improve data security.
“If these incidents happen again, there should be a punishment mechanism,” she told reporters outside the Legislative Council chamber in Cantonese. “People should be held accountable and there should be disciplinary actions.”
The city’s privacy watchdog said in January that it received more than 150 data breach notifications last year, marking a nearly 50 per cent increase compared to the previous year.
Last month, the watchdog found “clear oversight” in a data leak involving Cyberport, a government-owned tech hub, that was said to have infrequent security audits and unnecessary retention of personal data.
Help safeguard press freedom & keep HKFP free for all readers by supporting our team
