RegStream

On completion of its investigations into the data breach incident of the Urban Renewal Authority, the Office of the Privacy Commissioner for Personal Data (PCPD) published the investigation findings today. The PCPD also published a “Guidance on Cloud Computing” in parallel.

(1)       Data Breach Incident of the Urban Renewal Authority (URA)

The investigation arose from a data breach notification submitted by the URA to the PCPD on 13 May 2024, reporting that the personal data of members of the public stored on a cloud platform by the URA could be accessed by any person without inputting any account or password (the Incident).

Background

The URA used the e-Form platform (the e-Form Platform) associated with the cloud platform ArcGIS Online to create two e-forms for the purposes of the briefing sessions on the property acquisition under the Nga Tsin Wai Road / Carpenter Road Development Scheme. The URA launched the e-forms on 2 May 2024 for owners, tenants and shop operators attending the briefing sessions to fill in information for registration. According to the URA, it had conducted multiple security checks during the creation of the e-forms. Upon receipt of the Police’s notification on 3 May 2024 that some of the data of the e-forms might be leaked, the URA immediately ceased using the cloud platform ArcGIS Online and deleted the personal data stored therein. The URA subsequently learned that the personal data of the persons who registered for attending the briefing sessions could be accessed by any person without logging into any account with password. Therefore it submitted a data breach notification to the PCPD on 13 May 2024.

The Incident affected the personal data of 199 owners and tenants who had replied to attend the briefing sessions. The affected personal data included telephone numbers, names of the contact persons and the details of their ownership or their correspondence addresses.

In response to the Incident, the URA conducted a joint investigation with the contractor which provided the e-Form Platform and came to understand that there were different versions of the software of the e-Form Platform. The new version has been available for download since July 2022. In particular, the default values concerning data sharing were different between the old and new versions. For the default values under the new version, it was only when users made a number of extra settings that the software would allow them to view the data input without having to log in. The software used by the URA to create the forms was, however, an old version that it had downloaded and installed earlier. Hence, the aforesaid default values of the new version, which strengthened the protection of users’ data, were not applied to the e-forms in question. On the other hand, the URA confirmed that as its staff did not have sufficient knowledge and understanding of the relevant versions of the e-Form Platform, when it tested the e-forms, the URA did not review the relevant data sharing settings in detail and did not conduct security testing on the relevant functions, leading to the occurrence of the Incident. The URA agreed that if the software used by the URA at the material time were the latest version of the e-Form Platform, the Incident would not have occurred.

Based on the information provided by the URA, after learning of the Incident, the URA notified the public immediately, endeavored to ensure that there was no leakage of the personal data of citizens and minimised the impact on or inconvenience caused to members of the public. The URA also strived to learn from the Incident and implemented a series of organisational and technical improvement measures to establish a more robust privacy security framework and a corporate culture that values the protection of personal data to prevent the recurrence of similar incidents.

Investigation Findings

In the course of the investigation, the PCPD has conducted five rounds of enquiries with the URA and approached the contractor twice to obtain relevant information regarding the Incident. The PCPD thanked the URA and the contractor for their cooperation and the provision of the information and documents requested in the investigation. Having considered the circumstances of the Incident and the information obtained during the investigation, the Privacy Commissioner for Personal Data (Privacy Commissioner), Ms Ada CHUNG Lai-ling, found that the following deficiencies of the URA were the main contributing factors of the occurrence of the Incident:-

1. Failure to update the software in a timely manner to ensure that the software used was the most updated version. The URA had not been taking any action to check whether the software of the e-Form Platform that it used was the most updated version, and had failed to update the software;

2.  Lack of understanding of the software used to collect personal data, and failure to develop and conduct effective and comprehensive security tests for the use of the software, resulting in the omission of some key functions in the security check of the forms. In the end, the URA could not timely detect that data was open to public access, which eventually led to the occurrence of the Incident.

Based on the above, the Privacy Commissioner found that the URA had not taken all practicable steps to ensure that the personal data involved was protected against unauthorised or accidental access, processing, erasure, loss or use, thereby contravening Data Protection Principle (DPP) 4(1) of the Personal Data (Privacy) Ordinance (“the Ordinance”) concerning the security of personal data.

The Privacy Commissioner has served a warning letter on the URA, requesting it to take measures to enhance the protection of the personal data held by it in order to prevent recurrence of similar contraventions in future.

(2)       “Guidance on Cloud Computing”

In the light of the growing popularity of cloud computing services, the PCPD has in parallel updated the Guidance on Cloud Computing (“Guidance”) to explain the relevant requirements of the Ordinance that are applicable to cloud computing with a view to assisting organisations that use cloud computing in enhancing the protection of personal data privacy.

Taking into account the latest technologies and trends in cloud computing services, the Guidance provides recommended measures on various aspects for organisations to better protect personal data privacy, covering aspects such as service and deployment models, standard services and contracts as well as outsourcing arrangements. The key recommended measures are as follows:-

Service and deployment models:

Cloud service providers may update their cloud services from time to time to offer new features or configurations. Therefore, organisations should take note of such updates and take corresponding actions, including updating the relevant software and/or adjusting the appropriate configurations;

Dedicated private clouds generally allow organisations to have more control and privacy than shared public clouds. Organisations intending to use shared public clouds should carefully consider the relevant responsibilities and arrangements in protecting personal data privacy, and take corresponding measures;

It would be more difficult for organisations that use Software as a Service (SaaS) in their service model to exercise direct control over the personal data for which they are accountable. These organisations need to assess the risks associated with such arrangements and mitigate them according to the actual circumstances;

Standard services and contracts: If the standard security level or the personal data protection commitment made by a cloud service provider fails to meet the organisation’s requirements, the organisation should request customised services from the provider and negotiate contract terms that meet such requirements. Organisations should also find ways (such as audit reports or declarations) to verify the data protection and security measures adopted by cloud service providers;

Outsourcing arrangements: If there is a sub-contracting arrangement, organisations should ensure that they obtain contractual assurance from the cloud service provider that the same level of protection and compliance controls are applicable to their sub-contractors;

Others:

Logging: Retain the audit trails provided by cloud service providers and review the logs regularly to detect abnormal activities;

Appropriate user configuration: Organisations should thoroughly understand the functions of the configurations and ensure that their access to cloud services is correctly configured with reference to individual use cases;

Encryption in transit and at rest: Personal data should be encrypted when stored on the cloud, and organisations may wish to choose cloud service providers that offer encryption at rest in their services;

Enable Multi- factor Authentication; and

Erase data: An organisation should ensure that there are provisions in the contract requiring the erasure or return of personal data held by the cloud service provider to the organisation upon the organisation’s request, or upon completion or termination of contract.

The Privacy Commissioner, Ms Ada CHUNG Lai-ling, said, “The organisations that use cloud computing and cloud service providers have a shared responsibility to safeguard data security in a cloud environment, including the security of the personal data stored on the cloud, and comply with the relevant requirements of the Privacy Ordinance. I encourage organisations to adopt the measures recommended in the Guidance, such as encrypting the personal data stored on cloud, ensuring that only authorised persons can access the personal data stored on cloud, understanding the latest functions or configurations provided by cloud service providers, and ensuring that there are provisions in the contract requiring the erasure or return of personal data held by the cloud service provider upon completion of contract. ”

Download the new “Guidance on Cloud Computing”:

https://www. pcpd. org. hk/english/resources_centre/publications/files/IL_cloud_e. pdf

The PCPD published a new “Guidance on Cloud Computing”.