Date: 4 January 2018
Privacy Commissioner Raised Concern Over the Frequent Occurrence of Data Security Incidents at Travel Agents
Measures on Enhancing Data Security Reiterated
(4 January 2018) The Privacy Commissioner for Personal Data, Hong Kong (the Privacy Commissioner) was concerned about the recent numerous data security incidents resulted from hacking of computer systems of travel agents, and reminded the industry to stay vigilant and comply with the requirements of the Personal Data (Privacy) Ordinance (the Ordinance) by taking practicable steps to safeguard personal data from unauthorised or accidental access, processing, erasure, loss or use. Security measures include:
formalising and documenting the administrative measures adopted to safeguard sensitive documents in the existing workflow or other procedural guidelines;
fully enforcing the requirement to have personal data encrypted during transmission through untrusted networks, including the internet, and state the consequence of non-compliance;
reviewing and improve the existing IT security policy and IT governance to ensure its comprehensiveness and integrity; and
revising and improve the guideline for handling data loss or leakage.
Hacking into computer systems would amount to cybercrime. It is noted that the Police is now conducting a criminal investigation into the relevant cases. The office of the Privacy Commissioner for Personal Data, Hong Kong (the PCPD) will keep close communications with the Police.
Regarding the alleged data leakages by Big Line Holiday and Goldjoy Holidays due to suspected system hackings, the PCPD has received Data Breach Notifications from the travel agents concerned and has initiated compliance checks. The PCPD will also assist the travel agents in taking remedial actions to mitigate the potential damage. Regarding the alleged data leakage by another travel agent, WWPKG due to a suspected system hacking, a compliance check initiated by the PCPD is underway.
The Privacy Commissioner Mr Stephen Kai-yi WONG said, "The rising trend of the customers’ data breaches caused by cybersecurity incidents at travel agents has come to our concern. From the information we gathered, the recent three data security incidents involving Big Line Holiday, WWPKG and Goldjoy Holidays were computer system invasion in nature. On cybersecurity, travel agents as data users should take all reasonably practicable security measures to protect customers' personal data. Due to ever-changing technology, causes of cyber security incidents have become diversified, making the trace of the incidents more challenging. We would approach relevant travel agents and initiate compliance checks should there be any data breaches, including those resulted from hackers' attacks."
In view of the vast amount of customers’ personal data collected and retained by travel agents, the Privacy Commissioner published an inspection report (the Report) about the personal data protection measures for the reference of the travel service industry in January 2016, which included the examination of IT security (e.g. technical arrangements against intruders, malicious software and vulnerabilities). The Report set out some practices adopted by the travel agent inspected that were worthy of note and suggested a number of recommendations on security measures. The Report can be downloaded
at the PCPD website.
The Privacy Commissioner will continue to engage stakeholders of the tourism sector, including industry organisations and corporates, and promote privacy protection among the industry, as well as to raise the awareness and understanding of the Ordinance and nurture the “protect, respect personal data” culture among the industry practitioners by organising professional workshops, seminars, forums and meetings with the stakeholders.
– End –