Skip to content

Media Statements

Media Statements

Date: 23 December 2015

PCPD Initiates Investigation into the Security Vulnerability of SanrioTown Website

(23 December 2015) The Office of the Privacy Commissioner for Personal Data (“PCPD”) has commenced an investigation into the security vulnerability of SanrioTown website.

SanrioTown website is operated by Sanrio Digital (HK) Limited, a Hong Kong company, that announced to the public that the personal data of up to 3.3 million members of SanrioTown website could have been publicly accessible owing to a security vulnerability. The personal data that might have been accessible includes the name, email address, date of birth and encrypted password. Credit card or other payment information is not included.

The Privacy Commissioner for Personal Data, Mr Stephen Wong, said, “This incident involves a large number of persons and it may include children’s personal data. There is no indication on the number of affected members in Hong Kong. The PCPD is concerned about the incident and has decided to commence an investigation into it. In fact, data breach incident occurs from time to time. I appeal to all web operators to take all practicable steps to safeguard personal data against loss, unauthorised access or disclosure. The potential harm to individuals as a result of the data breach could be serious. The situation will be more serious if children’s personal data is involved.”

Mr Wong added, “As the targets of these websites are children, I appeal to the parents that in responding to the risks arising from new technology, they should learn and discuss with their children about the smart use of technologies and their related risks. Parents may wish to read our leaflets entitled Children Online Privacy – Practical Tips for Parents and Teachers. Parents and their children have to know the privacy risks and consequences before providing their personal data. We need to be vigilant and stay smart when we go online! ”

Data Protection Principle 4 (Data Security Principle) of the Personal Data (Privacy) Ordinance stipulates that all practicable steps shall be taken to ensure that personal data held by a data user is protected against unauthorized or accidental access, processing, erasure or other use.

If there is a contravention of the Data Protection Principles, the Privacy Commissioner may upon completion of an investigation serve an enforcement notice to direct the data user to remedy the contravention and prevent its re-occurrence. Contravention of an enforcement notice is an offence which would attract a maximum fine of HK$50,000 and imprisonment for 2 years. If the offence continues after the conviction, the data user is liable to a daily penalty of $1,000.

Children Online Privacy – Practical Tips for Parents and Teachers

- End -