Media Statements

Privacy Commissioner’s Office Publishes Two Investigation Reports on the Data Breach Incidents of (1) Kwong’s Art Jewellery Trading Company Limited and My Jewelry Management Limited and (2) Adastria Asia Co., Limited

Upon completion of the investigations into the data breach incidents involving Kwong’s Art Jewellery Trading Company Limited (Kwong’s Art Jewellery) and My Jewelry Management Limited (My Jewelry), as well as Adastria Asia Co., Limited (Adastria), the Office of the Privacy Commissioner for Personal Data (PCPD) published the investigation reports today.
 
(1) Data Breach Incident of Kwong’s Art Jewellery and My Jewelry
 
The investigation arose from a data breach notification submitted by Kwong’s Art Jewellery and My Jewelry to the PCPD on 11 November 2024, reporting abnormalities in their shared information systems and receipt of messages from a threat actor which claimed that the data stored in the information systems of Kwong’s Art Jewellery and My Jewelry had been stolen. Upon inspection, Kwong’s Art Jewellery and My Jewelry confirmed that the data stored in their database server had been stolen and deleted (Incident).
 
Kwong’s Art Jewellery is the parent company of My Jewelry and is engaged in jewellery manufacturing and wholesale, while My Jewelry is a jewellery retail company which operates the brand “My Jewelry”. Kwong’s Art Jewellery and My Jewelry have been jointly managing and using the affected information systems, including the servers, applications and databases.
 
The investigation revealed that the threat actor conducted a brute-force attack to obtain the credentials of an administrator account (Account). The threat actor utilised the Account to gain access to the information systems of the two companies and performed lateral movement within the network, which included implanting a Trojan Horse program on a desktop computer used for internal system development and programming. This allowed the threat actor to obtain the source code to control the database server, which led to the successful exfiltration and deletion of the personal data stored therein.
 
According to the information provided by Kwong’s Art Jewellery and My Jewelry, approximately 79,400 data subjects were affected by the Incident, including corporate customers and current and former employees of Kwong’s Art Jewellery, as well as retail customers and current and former employees of My Jewelry. The personal data affected included the names, Hong Kong Identity Card numbers, dates of birth, telephone numbers, addresses and commencement dates of employment of employees, as well as the names, Hong Kong Identity Card numbers (first four alphanumeric characters), years and months of birth, telephone numbers, email addresses, and membership numbers of customers.
 
Following the Incident, Kwong’s Art Jewellery and My Jewelry implemented various improvement measures to enhance the security of their information systems, which included resetting login passwords for all users, updating operating systems of servers, antivirus software and firewall, as well as deploying “extended detection and response” tools for continuous monitoring of their information systems, etc. In addition, Kwong’s Art Jewellery and My Jewelry notified all affected data subjects after the Incident.
 
The PCPD conducted seven rounds of inquiries and reviewed the information provided by Kwong’s Art Jewellery and My Jewelry in relation to the Incident, and the follow-up and remedial actions taken by the two companies after the Incident. Having considered the circumstances of the Incident and the information obtained during the investigation, the Privacy Commissioner for Personal Data (Privacy Commissioner), Ms Ada CHUNG Lai-ling, found that the following deficiencies of Kwong’s Art Jewellery and My Jewelry contributed to the occurrence of the Incident (See Annex 1 for details):-

1. Failure to delete a former employee’s account in a timely manner;
2. Lack of effective security and detection measures in the information systems;
3. Outdated operating systems of servers;
4. Lack of policies and guidelines on information security; and
5. Absence of security assessments and audits of the information systems.

The Privacy Commissioner considered that Kwong’s Art Jewellery and My Jewelry failed to adopt adequate and effective security measures at the time of the Incident to safeguard the personal data in their possession. The Privacy Commissioner expressed profound regret that Kwong’s Art Jewellery and My Jewelry failed to recognise the security risks in their information systems, resulting in the failure to timely delete the former employee’s account, failure to implement effective security and detection measures, the use of outdated operating systems of servers, failure to formulate policies and guidelines on information security, and the absence of security assessments and audits of the information systems, which eventually led to the Incident.
 
Based on the above, the Privacy Commissioner found that Kwong’s Art Jewellery and My Jewelry had not taken all practicable steps to ensure that the personal data involved was protected against unauthorised or accidental access, processing, erasure, loss or use, thereby contravening Data Protection Principle (DPP) 4(1) of the Personal Data (Privacy) Ordinance (PDPO) concerning the security of personal data.
 
The Privacy Commissioner has served Enforcement Notices on Kwong’s Art Jewellery and My Jewelry, directing them to take measures to remedy the contraventions and prevent recurrence of similar contraventions in future.
 
(2) Data Breach Incident of Adastria
 
The investigation arose from a data breach notification submitted by Adastria to the PCPD on 18 November 2024, reporting that its customer relationship management platform and e-commerce platform (collectively, the Affected Platforms) were accessed by an unauthorised third party, which resulted in the exfiltration of the personal data of Adastria’s customers (Adastria Incident).
 
The investigation revealed that the Affected Platforms operated as a Software-as-a-Service (SaaS) which was provided by a third-party vendor (the Platform Vendor). In the Adastria Incident, the threat actor used the credentials of an administrator account of a current employee to connect to the Affected Platforms from an unknown overseas IP address and downloaded the order information stored therein.
 
Adastria is a Japanese multinational corporation engaging in fashion retail in various Asian countries. At the time of the Adastria Incident, Adastria was managing the sales of its affiliated brands (including GLOBAL WORK, “niko and …”, LOWRYS FARM, Heather, JEANASiS, studio CLIP, repipi armario, LEPSIM, PAGEBOY) in Hong Kong through its online platform “dot st HK”. The personal data of a total of 59,205 customers was affected by the Adastria Incident. The personal data affected included the names, telephone numbers and order information of customers (including the transaction reference numbers, order dates, membership numbers, delivery methods, deliver/pickup dates, delivery addresses, product names and descriptions, and price information).
 
During the course of investigation, Adastria discovered that the affected personal data was disclosed in the Dark Web approximately two months after the Adastria Incident and was made available for download.
 
Adastria notified all affected customers after the Adastria Incident. Adastria also implemented various remedial measures to address the deficiencies identified in the Adastria Incident, including enabling the security functions of the Affected Platforms, such as password measures, multi-factor authentication and IP address restriction function, and deploying an endpoint detection and response solution to detect and block any malicious activities on its information systems.
 
The PCPD conducted five rounds of inquiries and reviewed the information provided by Adastria in relation to the Adastria Incident, including two investigation reports provided by a third-party consultant engaged by Adastria, and the follow-up and remedial actions taken by Adastria after the Adastria Incident. Having considered the circumstances of the Adastria Incident and the information obtained during the investigation, the Privacy Commissioner found that the following deficiencies of Adastria contributed to the occurrence of the Adastria Incident (see Annex 2 for details):-

1. Weak password management;
2. Failure to enable multi-factor authentication for access to accounts;
3. Lack of awareness to ensure the security of personal data; and
4. Failure to conduct proper security reviews on the Affected Platforms.

Given that Adastria is a well-known multinational fashion brand group and holds a large volume of the personal data of customers, the Privacy Commissioner regretted to note Adastria’s lack of awareness in data security and the absence of proper measures to protect the personal data in its possession. The Privacy Commissioner was of the view that had Adastria adopted appropriate and adequate organisational and technical security measures before the incident, the Adastria Incident could likely have been avoided.
 
Based on the above, the Privacy Commissioner found that Adastria had not taken all practicable steps to ensure that the personal data involved was protected against unauthorised or accidental access, processing, erasure, loss or use, thereby contravening DPP4(1) of the PDPO concerning the security of personal data.
 
The Privacy Commissioner has served an Enforcement Notice on Adastria, directing it to take measures to remedy the contravention and prevent recurrence of similar contraventions in the future.
 
The Privacy Commissioner notes that both data breach incidents involved retail organisations which held significant amounts of customers’ personal data, with evidence suggesting subsequent disclosure of customers’ data in the Dark Web in one incident. These incidents demonstrate the link between data breach incidents and both the illicit sale of personal data for profit, as well as the use of personal data by fraudsters in different fraudulent activities. The Privacy Commissioner recognises that retail organisations in general may have limited resources for cybersecurity. However, given the rapidly evolving cybersecurity risks and the increasing trend of using personal data in fraudulent activities in recent years, the Privacy Commissioner, Ms Ada CHUNG Lai-ling, reminds the retail industry and organisations that hold significant amounts of personal data of customers, “In the face of escalating cybersecurity threats, organisations should recognise that the personal data in their possession are valuable assets and allocate sufficient resources on cybersecurity and data security in order to safeguard the personal data in their possession, thereby complying with the requirements of the PDPO and meeting the reasonable expectations of data subjects.”
 
The Privacy Commissioner recommends organisations to adopt appropriate organisational and technical measures to safeguard their information systems that contain personal data. In particular, organisations should:

• Establish clear internal policies and procedures to safeguard the security of information systems and ensure thorough implementation of the same;
• Implement effective measures to prevent, detect and respond to cyberattacks, including conducting regular vulnerability scans and patching cybersecurity vulnerabilities in a timely manner;
• Cease the use of end-of-support software and upgrade software in a timely manner;
• Enhance password management of information systems and adopt multi-factor authentication;
• Conduct comprehensive security risk reviews and audits for information systems regularly;
• Configure appropriate security functions on service platforms provided by third-party vendors and conduct regular security review;
• Formulate a data breach response plan; and
• Provide appropriate training to employees to improve their data security awareness.

The PCPD encourages organisations to make reference to the “Guidance Note on Data Security Measures for Information and Communications Technology (ICT)” and the “Guidance on Data Breach Handling and Data Breach Notifications” issued by this Office to prepare themselves against any cyberattacks and to enhance cybersecurity and data security. To assist enterprises in safeguarding data security, the PCPD has launched a Data Security thematic webpage[1], a data security hotline (2110 1155) and the “Data Security Scanner”[2], which is a self-assessment toolkit for enterprises to assess the data security measures for their ICT systems.