Online platform Carousell violated Hong Kong privacy laws watchdog finds after data of over 320000 locals leaked South China Morning Post

pPopular online marketplace Carousell violated Hong Kongs privacy laws a watchdog said on Thursday following the discovery of the personal data of more than 320000 local users on sale on the dark webppThe Office of the Privacy Commissioner for Personal Data announced the findings from its investigation into the leak which the platform reported in October last year calling the incident serious given its scaleppWith regards to the information leaked it involves email addresses phone numbers birthdays birth months and years privacy commissioner Ada Chung Lailing saidppWe think this situation is serious especially since it involves more than 320000 usersppCarousell discovered in October 2022 that the personal data of 26 million users among which 324232 were from the city was being sold online The platform told the watchdog and the affected users following the incidentppChung said Carousell had noted that the leak was linked to a loophole in its system migration process that began in January 2022 which hackers exploited in May and June last year to steal personal information that was not available to other usersppThe issue was only discovered and resolved in September last year while the platform was testing a new feature but it was determined at the time that the loophole had not been exploitedppChung said leaked information could allow criminals to do many things including directly contacting those involved stealing their identity to scam others and accessing other accounts belonging to themppThe office which enforces the Personal Data Privacy Ordinance found that the platform was in breach of a data protection principle concerning the security of such informationppIt said evidence showed the company had made several errors leading to the hacking including failing to check whether a comprehensive code review process was carried out not ensuring there was a thorough security assessment and not having an effective detection mechanism in placeppIn conclusion the data leakage incident has revealed that Carousell has made fundamental errors in protecting the safety of the personal data held by this group It is very disappointing Chung saidppI believe that if there were some general risk and safety assessment measures at the time the incident could have been avoidedppThe watchdog said whether the data had been sold on the dark web was not the subject of its investigation but warned that part or all of the information could have been bought as it was onlineppChung advised affected users to beware of suspicious calls and emails check their bank accounts from time to time change their passwords and enable multifactor authentication for their other accountsppThe watchdog has served an enforcement notice to the platform demanding that it carry out a series of measures to remedy the situation and prevent its recurrence which includes hiring an independent data security expert and devising local guidelines to ensure the information security of usersppIt said the platform had two months from the date the notice was issued to submit documents to prove it had completed the required actionsppA Carousell spokeswoman said the company respected the written judgment from the office and that it would review the recommendations and continue to work closely with the watchdogppProtecting our users personal information has been and will always be of paramount importance to us she saidppTo ensure that we maintain a robust and effective security posture we continually invest significant resources in enhancing our security infrastructure and cybersecurity effortsppSeparately the watchdog also revealed the findings of another investigation that looked into four complaints related to the use of personal data in human resources management including two cases where supervisors improperly disclosed details of employees illnesses in chat groups on instant messaging appsppOne of the cases involved a worker at Kwong Wah Hospital who asked his department manager for sick leave through an instant messaging app on two occasions His direct supervisor then forwarded the messages to a chat group with 47 members of staff who worked in the same department according to the watchdogppReferring to the two cases Chung urged employers and those in human resources to be careful when handling healthrelated information and advised against spreading such personal details on a messaging appppEven though you may need to disclose some information to other workers to arrange for staff redeployment there is no need at all for the employer or for human resources managers to disclose the physical condition of the employee in question to other workers she saidppPrevious largescale data leaks in Hong Kong included some public institutions hit by ransomware attacks such as the consumer watchdog and tech hub CyberportppIn the Cyberport incident hackers reportedly demanded a ransom of HK235 million US300500 after stealing more than 400 gigabytes of informationp