Media Statements

 The Office of the Privacy Commissioner for Personal Data (PCPD) today published (1) an investigation report of the data breach incident of Yau Yat Chuen Garden City Club Limited (the Club) and (2) Practical Tips on Safeguarding Children’s Online Privacy.

1.  Data Breach Incident of Yau Yat Chuen Garden City Club

The investigation arose from a data breach notification submitted by the Club to the PCPD on 31 October 2025, reporting that its club management system (the CMS) was rendered inoperable as a result of a ransomware attack that encrypted information system files stored on a server (the Incident).
 
The CMS was provided and maintained by an external service provider (the Service Provider) for managing members’ information of the Club, with all associated personal data stored on the server (the Server). The Service Provider had the ability to remotely access the Server via dedicated remote access software (the Software) for the purpose of providing technical support.
 
The investigation revealed that the Software was operating on an outdated version that contained a known security vulnerability at the time of the Incident. The vulnerability enabled the threat actor to compromise the account credentials used by the Service Provider, thereby gaining direct entry to the Server where personal data was stored. This was further facilitated by the Server being left in a logged-in state without the implementation of additional authentication controls, thereby further undermining the security defences of the CMS. In addition, the Club’s antivirus software and firewall were outdated, rendering them unable to detect and prevent the hacking activities.
 
The Club is a private, non-profit social and recreational organisation that provides recreational facilities and dining services exclusively to its registered members and their guests. A total of 9,045 data subjects were affected by the Incident, which included 1,553 active members, 1,723 supplementary card holders, 1,313 former members, and 4,456 former supplementary card holders. The personal data affected included the full names, Hong Kong Identity Card numbers and/or passport numbers, dates of birth, email addresses, contact numbers and addresses.
 
The Club notified the affected persons after the Incident, and implemented various remedial measures, which included discontinuing the use of the previously vulnerable remote access software and monitoring all remote access, updating the antivirus software and firewall for all servers and endpoints to the latest versions, and applying encryption to the personal data files on the servers.
 
The PCPD conducted four rounds of inquiries and reviewed the information provided by the Club in relation to the Incident, and the follow-up and remedial actions taken by the Club after the Incident. Having considered the circumstances of the Incident and the information obtained during the investigation, the Privacy Commissioner for Personal Data (Privacy Commissioner), Ms Ada CHUNG Lai-ling, found that the following deficiencies of the Club contributed to the occurrence of the Incident (See Annex 1 for details):-

1. Use of outdated remote access software that contained a known security vulnerability;
2. Absence of user authentication measures for remote access to the Server;
3. Use of outdated antivirus software and firewall;
4. Lack of organisational measures for information security; and
5. Prolonged retention of personal data.

The Privacy Commissioner was disappointed that the Club had not adopted appropriate and adequate organisational and technical information security measures before the Incident to safeguard the personal data stored in its information systems. Based on the above, the Privacy Commissioner found that the Club had not taken all practicable steps to ensure that the personal data involved was protected against unauthorised or accidental access, processing, erasure, loss or use, thereby contravening Data Protection Principle (DPP) 4(1) of the Personal Data (Privacy) Ordinance (PDPO) concerning the security of personal data.
 
In addition, the Privacy Commissioner found that the Club had not taken all practicable steps to ensure that personal data was not kept longer than was necessary for the fulfilment of the purpose for which the data was used, thereby contravening DPP 2(2) concerning the retention of personal data.
 
The Privacy Commissioner has served an Enforcement Notice on the Club, directing it to take measures to remedy the contravention and prevent recurrence of similar contraventions in the future.
 
The Privacy Commissioner notes that databases that contain the data of members and customers often contain extensive, comprehensive, and continuously updated personal data. As such, they have become primary targets for cyberattacks. Following the infiltration into such databases, threat actors often exfiltrate large amounts of personal data, which could subsequently be sold for unlawful use. The Privacy Commissioner, Ms Ada CHUNG Lai-ling, reminds organisations that collect and retain large volumes of personal data belonging to members and customers, “Membership and customer data is a valuable asset of an organisation and can be said to be a high-risk target of cyberattacks. Organisations should adopt a proactive strategy, regularly review the effectiveness of the security measures of their information systems, and allocate sufficient resources to protect such personal data, thereby ensuring compliance with the PDPO and meeting the reasonable expectations of data subjects.”
 
The Privacy Commissioner recommends organisations to adopt adequate and appropriate organisational and technical measures to safeguard their information systems that contain personal data. In particular, organisations should:

• Timely update remote access software, antivirus software and firewalls in order to patch any known vulnerabilities;
• Implement effective user authentication for data access, including strong passwords and multi‑factor authentication;
• Establish adequate organisational measures, including clear internal policies for information security, as well as secure and reliable remote access solutions;
• Conduct regular security risk assessments, vulnerability scans and system audits to identify and rectify security weaknesses;
• Formulate a data retention policy to ensure that personal data is not retained longer than is necessary; and
• Provide regular staff training on information security.

The PCPD encourages organisations to make reference to the “Guidance Note on Data Security Measures for Information and Communications Technology (ICT)” and the “Guidance on Data Breach Handling and Data Breach Notifications” issued by the PCPD to bolster their defences against cyberattacks and to enhance cybersecurity and data security. To assist enterprises in safeguarding data security, the PCPD has launched a Data Security thematic webpage^[1], a data security hotline (2110 1155) and the “Data Security Scanner”^[2], which is a self-assessment toolkit for enterprises to assess the data security measures for their information systems.
 
In addition, to strengthen the capabilities of organisations, in particular small and medium enterprises and non-profit-making organisations, in safeguarding data security and cyber security, the PCPD relaunches the “Data Security Package” today. Participating organisations will receive five free quotas to join professional workshops and seminars organised by the PCPD upon completion of a free assessment by the “Data Security Scanner”, which will assess the adequacy of their data security measures.

2. “Safeguarding Children’s Online Privacy – Practical Tips for Parents and Teachers”

In today’s digital world, children have been actively engaging in online learning platforms, social media platforms, online games and other online services, often from a very young age. While the internet brings convenience and opportunities for learning and social interaction, it also exposes children to increasing risks to their personal data privacy, such as excessive collection of personal data and retention of personal data for longer than is necessary. Such personal data may also be used for cyberbullying, doxxing and even scams.
 
The Privacy Commissioner, Ms Ada CHUNG Lai-ling, notes that when compared to adults, children are generally less appreciative of the privacy and safety implications of their online behaviour. To support parents and teachers, therefore, the PCPD has published the “Practical Tips for Parents and Teachers – Safeguarding Children’s Online Privacy” (the Tips), which provide practical advice on how parents and teachers can help children protect their personal data privacy and safety in the online world.The Privacy Commissioner encourages parents and teachers to join hands to co-create a safe and privacy-friendly digital space for children, proactively guide them to develop good online habits, and strengthen their awareness of personal data protection, so that they can participate in online activities safely and with peace of mind.
 
The Tips set out practical advice on how parents and teachers can guide children to protect their personal data privacy online. Key recommendations include: 

1. Proactively participating in children’s online activities. Parents and teachers are encouraged to discuss with children the ‘dos’ and ‘don’ts’ of online behaviours, suitably use parental controls provided by online platforms to monitor children’s online activities, and try the latest technologies out to gain a deeper understanding of the functions and services of online platforms;
2. Safeguarding children’s online privacy. Children should be reminded not to over-share personal data when using online platforms or interacting with artificial intelligence (AI) tools. They should remain vigilant about their digital footprint, and parents and teachers should review and change default privacy settings and cultivate a sense of respect for others’ privacy;
3. Being a role model. Parents and teachers should set good examples by protecting their own personal data and respecting others’ personal data privacy, such as consulting friends and family members before sharing their personal data. They should also prioritise the best interest of the children when sharing their information on the internet; and  
4. Reminding children of the pitfalls of the digital world. Children should be reminded of risks such as online scams, cyberbullying, abuse of AI deepfakes and doxxing. They should also be reminded that their personal data is marketable by many organisations, that giving up their personal data in exchange for an ostensibly ‘free’ service may not be worthwhile, and that there is no permanent ‘delete’ button on the internet.

Download the information pamphlet on “Safeguarding Children’s Online Privacy – Practical Tips for Parents and Teachers”:
https://www.pcpd.org.hk/english/resources_centre/publications/files/leaflet_childrenonlineprivacy_e.pdf
 
Furthermore, to facilitate parents and teachers in understanding the advice in the Tips, the PCPD has also published a leaflet summarising the key recommendations of the Tips. Download the leaflet:
https://www.pcpd.org.hk/english/resources_centre/publications/files/safeguarding_practicaltips.pdf