{"id":30808,"date":"2025-10-09T07:59:45","date_gmt":"2025-10-09T07:59:45","guid":{"rendered":"https:\/\/prelive-tdw.visibleone.app\/?post_type=insight-and-news&#038;p=30808"},"modified":"2025-12-16T07:39:55","modified_gmt":"2025-12-16T07:39:55","slug":"legal-update-pcpds-investigation-reports-on-two-data-breach-incidents","status":"publish","type":"insight-and-news","link":"https:\/\/www.tannerdewitt.com\/zh-hans\/insight-and-news\/legal-update-pcpds-investigation-reports-on-two-data-breach-incidents\/","title":{"rendered":"Legal Update: PCPD\u2019s Investigation Reports on Two Data Breach Incidents"},"content":{"rendered":"\n    \n\n<div style=\"background-image:url('https:\/\/www.tannerdewitt.com\/wp-content\/themes\/tanner-de-witt\/images\/insightdetails.jpeg')\"\n    class=\"insight-news-detail-hero\" id=\"insight-news-detail-hero\">\n\n\t\t<div style=\"background-color:\" class=\"insight-news-detail-hero-overlay \"><\/div>\n            <div class=\"z-[0]\">\n                <div class=\"insight-news-breadcrumbs flex items-end practice-areas-featured-breadcrumbs \">\n                    <a class=\"page-link no-underline\" href=\"https:\/\/www.tannerdewitt.com\/zh-hans\/\">Home<\/a>                <\/div>\n\n\n                <div class=\"hero-title\">\n                    <h1>\n                        Legal Update: PCPD\u2019s Investigation Reports on Two Data Breach Incidents                    <\/h1>\n                <\/div>\n                \n                    <div style=\"\" class=\"hero-date \">\n\n                        <span class=\"month\">Oct<\/span>\n                        <span class=\"day\">09<\/span>\n                        <span class=\"year\">2025<\/span>\n                    <\/div>\n\n            <\/div>\n    \n\n    \n\n\n\n<\/div>\n\n\n\n<script >\n    (function () {\n        document.addEventListener(\"DOMContentLoaded\", () => {\n\n            const breadCrumbsContainer = Array.from(document.querySelectorAll(\".practice-areas-featured-breadcrumbs\"));\n\n            breadCrumbsContainer.forEach(container => {\n                const breadCrumbLinks = Array.from(container.querySelectorAll('.page-link'));\n                const breadCrumbSeperators = Array.from(container.querySelectorAll('.separator'));\n\n                if (Array.from(breadCrumbLinks).length === 1) {\n                    const homeNode = breadCrumbLinks[0];\n\n                    if (!homeNode) {\n                        return\n                    }\n\n                    const postTypeNode = homeNode.cloneNode(true);\n                    postTypeNode.textContent = \"Insights and News\";\n                    container.insertAdjacentHTML('beforeend', `<span class=\"separator practice-areas-featured-breadcrumb-item-slash\">\/<\/span>`)\n                    container.insertAdjacentElement('beforeend', postTypeNode)\n                    breadCrumbLinks.push(postTypeNode);\n\n                    if (\"Insights\") {\n                        const categoryNode = homeNode.cloneNode(true);\n\n                        categoryNode.textContent = \"Insights\";\n                        container.insertAdjacentHTML('beforeend', `<span class=\"separator practice-areas-featured-breadcrumb-item-slash\">\/<\/span>`)\n                        container.insertAdjacentElement('beforeend', categoryNode)\n                        breadCrumbLinks.push(categoryNode);\n                    }\n\n\n                    const titleNode = homeNode.cloneNode(true);\n\n                    titleNode.textContent = \"Legal Update: PCPD\u2019s Investigation Reports on Two Data Breach Incidents\";\n                    container.insertAdjacentHTML('beforeend', `<span class=\"separator practice-areas-featured-breadcrumb-item-slash\">\/<\/span>`)\n                    container.insertAdjacentElement('beforeend', titleNode)\n                    breadCrumbLinks.push(titleNode);\n\n\n\n\n                }\n\n                breadCrumbLinks.forEach((link, index) => {\n\n                    link.classList.add('practice-areas-featured-breadcrumb-item-name');\n                    const origin = window.location.origin;\n                    const href = window.location.href;\n\n                    const originSplitter = window.location.href.includes(\"insight-and-news\") ? \"insight-and-news\" : window.location.href.includes('insights-and-news') ? \"insights-and-news\" : \"\"\n\n                    const paths = href.split(originSplitter);\n                    const links = paths[1].split(\"\/\").filter(Boolean)\n\n\n                    const resolvedOrigin = originSplitter ? (href.split(originSplitter)[0] || \"\") : (origin + \"\/\")\n\n                    if (index === 0) {\n\n                        if (!originSplitter) {\n                            link.href = origin\n                        } else {\n                            link.href = resolvedOrigin;\n                        }\n\n\n                    } else if (index === 1) {\n                        link.href = resolvedOrigin + originSplitter\n\n                    }\n                    else if (index === 2) {\n                        console.log(links)\n                        link.href = resolvedOrigin + originSplitter + \"\/\" + (links[0] || \"\")\n                    }\n                    else if (index === 3) {\n\n                        link.href = resolvedOrigin + originSplitter + \"\/\" + (links[0] || \"\") + \"\/\" + (links[1] || \"\")\n\n                    }\n\n\n\n                    \/\/ const words = link.textContent.split(\" \")\n                    \/\/ if (words.length > 4) {\n                    \/\/     link.textContent = words.slice(0, 4).join(\" \") + \"...\"\n                    \/\/ }\n\n                })\n\n                breadCrumbSeperators.forEach(separator => {\n                    separator.textContent = \"\/\"\n                    separator.classList.add('practice-areas-featured-breadcrumb-item-slash')\n                });\n\n\n            })\n\n\n        })\n        removeDivTag()\n    })();\n\n    function removeDivTag() {\n        console.log(\"remasfljas\");\n        const editorContainer = document.querySelector(\".editor-wysiwyg\");\n        \/\/ editorContainer.innerText = editorContainer.innerText.replace(\"<\/div>\", \"\")\n        Array.from(editorContainer.childNodes).forEach(el => {\n            if (el.textContent.includes(\"<\/div>\")) {\n                el.textContent = \"\"\n            }\n        })\n    }\n<\/script>\n\n<div class=\"editor-wysiwyg my-[40px]\">\n<div class=\"single-section\">\n<p>In this update, <a href=\"https:\/\/www.tannerdewitt.com\/our-people\/padraig-walsh\/\">P\u00e1draig Walsh<\/a>\u00a0from our\u00a0<a href=\"https:\/\/www.tannerdewitt.com\/practice-areas\/data-privacy\/\">Data Privacy<\/a>\u00a0team looks at two investigation reports published by the Hong Kong Privacy Commissioner for Personal Data (\u201cPCPD\u201d) into data breach incidents occurring in 2024.<\/p>\n<p><strong>Data breach incident of Kwong\u2019s Art Jewellery and My Jewelry<\/strong><\/p>\n<p><em>Brief overview<\/em>: A brute-force attack was conducted on the companies\u2019 shared information systems to obtain administrator credentials, allowing unauthorised access to sensitive data held on the systems. The breach affected approximately 79,400 individuals, including corporate customers and employees. The compromised personal data included names, Hong Kong Identity Card numbers, dates of birth, and contact details.<\/p>\n<p><em>Deficiencies identified<\/em>: The PCPD identified key deficiencies, including:<\/p>\n<p>(a) failure to timely delete a former employee\u2019s account;<\/p>\n<p>(b)\u00a0lack of effective security and detection measures;<\/p>\n<p>(c)\u00a0outdated operating systems of servers; and<\/p>\n<p>(d)\u00a0absence of comprehensive information security policies \/ guidelines and regular assessments and audits.<\/p>\n<p>The PCPD concluded that the companies had not taken all practicable steps to protect personal data, and the companies violated Data Protection Principle (\u201cDPP\u201d) 4(1) of the PDPO.<\/p>\n<p><strong>Data breach incident of Adastria<\/strong><\/p>\n<p><em>Brief overview<\/em>: The attack utilised the administrator credentials of a then current employee. The attack was initiated by access from an overseas IP address. The administrator credentials granted unauthorised access to various customer order information. The breach affected approximately 59,205 customers. The compromised personal data included names, telephone numbers, and order details, which were subsequently disclosed on the dark web two months after the attack.<\/p>\n<p><em>Deficiencies identified<\/em>: The PCPD identified key deficiencies, including:<\/p>\n<p>(a)\u00a0weak password management and lack of multi-factor authentication;<\/p>\n<p>(b)\u00a0insufficient awareness of data security protocols; and<\/p>\n<p>(c)\u00a0failure to conduct proper security reviews.<\/p>\n<p>The PCPD expressed concern over Adastria\u2019s inadequate measures to safeguard personal data, particularly given its status as a multinational fashion brand group. They concluded that Adastria violated DPP 4(1) of the PDPO by failing to take all reasonable steps to ensure the security of personal data.<\/p>\n<p><strong>The PCPD\u2019s recommendations<\/strong><\/p>\n<p>The PCPD noted that retail businesses handle significant volumes of personal data, and recommended those businesses to:<\/p>\n<p>(a)\u00a0establish and implement clear internal policies and procedures to safeguard the security of the information systems;<\/p>\n<p>(b)\u00a0implement effective measures to prevent, detect and respond to cyberattacks, including conducting regular vulnerability scans and timely patching;<\/p>\n<p>(c)\u00a0cease the use of end-of-support software and promptly upgrade all software;<\/p>\n<p>(d)\u00a0enhance password management of information systems and enable multi-factor authentication;<\/p>\n<p>(e)\u00a0regularly conduct security risk reviews and audits for information systems;<\/p>\n<p>(f)\u00a0configure appropriate security functions on service platforms provided by third-party vendors and conduct regular security reviews;<\/p>\n<p>(g)\u00a0formulate comprehensive data breach response plans; and<\/p>\n<p>(h)\u00a0adequately train employees to improve their data security awareness.<\/p>\n<p>The PCPD emphasised that organisations must allocate sufficient resources to safeguard personal data against increasing cyber threats.<\/p>\n<p><strong>Conclusion<\/strong><\/p>\n<p>These incidents underline a critical need for robust data protection and cybersecurity measures in today\u2019s increasingly threatening digital landscape.<\/p>\n<p>A privacy-secured business requires much more than a technical response. Prevention starts with commitment from senior management, and a privacy management plan that policies, plans and processes. Human error is almost invariably involved in a security incident or data breach. Training and awareness programmes should be conducted to ensure that employees follow best practices and are vigilant against cyber risk.<\/p>\n<p>Tanner De Witt is well-equipped to assist organisations in navigating these challenges. We regularly help businesses with policies and plans, and conduct practical, customised training to heighten awareness of prevention, mitigation and response measures.<\/p>\n<p>The PCPD\u2019s Media Statement is available at this\u00a0<a href=\"https:\/\/www.pcpd.org.hk\/english\/news_events\/media_statements\/press_20250821.html\" target=\"_blank\" rel=\"noopener\">link<\/a>.<\/p>\n<p class=\"has-text-align-right\"><strong><em>P\u00e1draig Walsh<\/em><\/strong><\/p>\n<p>If you want to know more about the content of this article, please contact:<\/p>\n<p><a href=\"https:\/\/www.tannerdewitt.com\/our-people\/padraig-walsh\/\">P\u00e1draig Walsh<\/a><\/p>\n<p>Partner |\u00a0<a href=\"mailto:padraigwalsh@tannerdewitt.com\">Email<\/a><\/p>\n<p><em>Disclaimer: This publication is general in nature and is not intended to constitute legal advice. You should seek professional advice before taking any action in relation to the matters dealt with in this publication. This article was published on 09 October 2025.<\/em><\/p>\n<\/div>\n<\/div>\n\n\n\n\n<\/div>\n\n\n<p><\/p>\n","protected":false},"excerpt":{"rendered":"<p>In this update, P\u00e1draig Walsh\u00a0from our\u00a0Data Privacy\u00a0team looks at two investigation reports published by the Hong Kong Privacy Commissioner for Personal Data (\u201cPCPD\u201d) into data breach incidents occurring in 2024. Data breach incident of Kwong\u2019s Art Jewellery and My Jewelry Brief overview: A brute-force attack was conducted on the companies\u2019 shared information systems to obtain [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"parent":0,"menu_order":0,"template":"","meta":{"_acf_changed":false,"footnotes":""},"tags":[],"insight-category":[1121],"insight-month":[1150],"insight-practice-area":[1125,1142],"insight-year":[1147],"class_list":["post-30808","insight-and-news","type-insight-and-news","status-publish","hentry","insight-category-legal-updates-and-insights","insight-month-october","insight-practice-area-corporate-and-commercial","insight-practice-area-technology-media-and-telecommunications-tmt","insight-year-1147"],"acf":[],"_links":{"self":[{"href":"https:\/\/www.tannerdewitt.com\/zh-hans\/wp-json\/wp\/v2\/insight-and-news\/30808","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.tannerdewitt.com\/zh-hans\/wp-json\/wp\/v2\/insight-and-news"}],"about":[{"href":"https:\/\/www.tannerdewitt.com\/zh-hans\/wp-json\/wp\/v2\/types\/insight-and-news"}],"author":[{"embeddable":true,"href":"https:\/\/www.tannerdewitt.com\/zh-hans\/wp-json\/wp\/v2\/users\/1"}],"version-history":[{"count":3,"href":"https:\/\/www.tannerdewitt.com\/zh-hans\/wp-json\/wp\/v2\/insight-and-news\/30808\/revisions"}],"predecessor-version":[{"id":31113,"href":"https:\/\/www.tannerdewitt.com\/zh-hans\/wp-json\/wp\/v2\/insight-and-news\/30808\/revisions\/31113"}],"wp:attachment":[{"href":"https:\/\/www.tannerdewitt.com\/zh-hans\/wp-json\/wp\/v2\/media?parent=30808"}],"wp:term":[{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.tannerdewitt.com\/zh-hans\/wp-json\/wp\/v2\/tags?post=30808"},{"taxonomy":"insight-category","embeddable":true,"href":"https:\/\/www.tannerdewitt.com\/zh-hans\/wp-json\/wp\/v2\/insight-category?post=30808"},{"taxonomy":"insight-month","embeddable":true,"href":"https:\/\/www.tannerdewitt.com\/zh-hans\/wp-json\/wp\/v2\/insight-month?post=30808"},{"taxonomy":"insight-practice-area","embeddable":true,"href":"https:\/\/www.tannerdewitt.com\/zh-hans\/wp-json\/wp\/v2\/insight-practice-area?post=30808"},{"taxonomy":"insight-year","embeddable":true,"href":"https:\/\/www.tannerdewitt.com\/zh-hans\/wp-json\/wp\/v2\/insight-year?post=30808"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}