Error in scripting at HK Express, Hong Kong, enabling customer access to restricted information.
In a series of data breach incidents that occurred between October 2023 and November 2024, Hong Kong-based companies HK Express, CJ Plus Insurance, and the Transport Department found their sensitive information compromised. Each of these cases was investigated by the Office of the Privacy Commissioner for Personal Data (PCPD).
**HK Express** experienced a data breach in July 2025, stemming from a "scripting error" that incorrectly directed a customer to another person's account. This oversight resulted in the unauthorized access and exposure of personal data such as birth dates, underscoring the importance of proper data safeguarding procedures.
**CJ Plus Insurance** inadvertently sent out documents containing sensitive personal information, including résumés and copies of Hong Kong identity cards, on recycled paper. This physical mishandling of data led to the exposure of private information.
The Transport Department, a government department, was also affected by a data breach, although specific details about the incident were not extensively publicized. Nonetheless, it was one of the eight cases revealed by PCPD involving negligence in following established procedures to prevent data leaks.
The PCPD found that all these incidents violated the Personal Data (Privacy) Ordinance (PDPO) of Hong Kong. The entities were found to have used personal data for new purposes without proper authorization, failed to take adequate practical steps to prevent data leaks, and demonstrated negligence in following established procedures to protect personal data.
Under the PDPO, organizations are mandated to protect personal data and take reasonable measures to prevent unauthorized access or data leaks. While the exact penalties for these specific cases were not detailed in the available information, penalties for serious breaches can include enforcement notices requiring organizations to rectify the breach, fines of up to HKD 500,000 upon conviction, and imprisonment for severe offenses related to data misuse or unauthorized data handling.
The PCPD uses these cases as public reminders to improve data security awareness among organizations and the public. Ada Chung Lai-ling, the Privacy Commissioner, stated that in the digital age, organizations have generally improved their efforts to protect personal data. However, these incidents serve as a reminder that vigilance and adherence to established procedures are essential to maintain data privacy and security.
The PCPD revealed eight cases, one of which involved CJ Plus Insurance, and did not mention any specific penalties or fines for the organizations involved in the data leaks. The office did not specify the exact number of individuals affected in each incident. Despite this, the incidents serve as a stark reminder of the importance of data protection and the consequences of negligence in this area.
- The series of data breach incidents involving Hong Kong-based companies HK Express, CJ Plus Insurance, and the Transport Department, along with the unspecified number of cases revealed by the PCPD, underscores the importance of general-news articles emphasizing the need for technology companies to prioritize data safeguarding procedures in crime-and-justice reporting.
- The occurrence of data breaches at HK Express, CJ Plus Insurance, and the Transport Department, all of which were found to violate the Personal Data (Privacy) Ordinance (PDPO) of Hong Kong, calls for enhanced awareness of data security among organizations and the public, as highlighted by the PCPD's use of these cases as public reminders, demonstrating the critical role technology plays in maintaining data privacy and security in the digital age.
