Cyber Threats in Hong Kong and Worldwide
In today’s digital age, organisations worldwide are increasingly moving their operations and business activities online, spanning areas such as e-commerce, digital banking and e-health. By transitioning from paper-based workflows to electronic operations and cloud storage, many organisations are utilising various digital tools in their daily operations to enhance efficiency and customer experience. However, organisations are not the only entities that understand how to leverage technological advancements. Malicious actors such as hackers can also identify opportunities in the digital realm and exploit vulnerabilities in information systems to infiltrate organisations’ networks and orchestrate crimes.
Over the past year, cyber threats have shown no signs of abating. Globally, reports of cyberattacks in various sectors, such as healthcare, supply chains and cloud services, are raising concerns about the security of cyberspace and the data held by organisations.
In Hong Kong, my Office received 203 data breach notifications in 2024, representing a nearly 30% increase from 157 notifications received in 2023. A 2024 survey by my Office revealed that nearly 70% of the surveyed enterprises had experienced at least one type of cyberattack, including phishing attacks, ransomware attacks and credential leakage or theft, in the preceding 12 months. Therefore, it is evident that cyberattacks are not rare occurrences but actual threats.
Obligations to Safeguard Data Security
The consequences of cyberattacks should not be underestimated. Cyberattacks may cause not only financial losses to an organisation, owing to business disruptions, but also irreparable reputational damage, leading to a loss of customer trust and business.
Personal data privacy may also be compromised in a cyberattack, as the personal data stored in an organisation’s information systems may be accessed by hackers. Cyber criminals may also threaten to disclose or encrypt the personal data, demanding that the organisation make payments to regain access to such data. However, even if such payments are made, once the data has been exposed to an unauthorised party, there is hardly any way to guarantee that the data will be completely erased on that party’s end.
Organisations, as data users, should note that they have a legal obligation to safeguard the personal data they hold. In particular, under the Data Protection Principles (DPPs) set out in Schedule 1 to the Personal Data (Privacy) Ordinance, organisations should take all practicable steps to ensure that (i) the personal data they held is not kept longer than is necessary for the fulfilment of the purpose for which the data is used (DPP 2(2)) and (ii) such personal data is protected against unauthorised or accidental access, processing, erasure, loss or use having particular regard to, amongst other things, the kind of personal data and the harm that could result from a breach (DPP 4(1)).
Proactive Cyber Defence
In the digital age, cyberspace is a key area for safeguarding national security and propelling economic and social development. Although the widespread use of online platforms, information systems and various apps, such as online shopping platforms, social media platforms and entertainment, membership or booking apps, offers significant business opportunities and convenience, their use also poses ostensible risks to personal data privacy and the operation of essential public services when critical infrastructure is involved.
In July 2024, the CrowdStrike incident led to the crashing of approximately 8.5 million operating systems worldwide, causing global disruption of critical services. At around the same time, the information systems of the Hong Kong branch of a worldwide charity suffered from a ransomware attack, which affected 37 servers and 24 workstations or notebook computers of the charity and the personal data of around 550,000 donors, volunteers, programme partners and participants, staff members and job applicants.
It is abundantly clear, therefore, that organisations can no longer ignore the risks looming in the cyberspace and should act proactively to defend themselves against cyberattacks. To guard against cyber threats, it is pivotal for organisations to adopt a comprehensive approach by implementing robust cyber security measures such as regularly reviewing their information systems’ security settings and ensuring that proper technical and operational security measures are established. It is equally important to raise staff awareness and strengthen their cyber security training, as a single click on a phishing link can compromise the entire information system.
In order to assist organisations in strengthening their capabilities to safeguard cyber security, my Office has introduced a range of initiatives. For instance, we have hosted seminars and workshops; created a “Data Security” thematic webpage, which serves as a one-stop platform for various data security resources; and launched a “Data Security Scanner” and hotline (2110 1155). Organisations are encouraged to utilise these resources to proactively strengthen their defence against cyberattacks.
As technology continues to develop at an unprecedented pace, organisations must be prepared to tackle ever-evolving cyber security challenges. Safeguarding cyber security is not a one-off task. It requires timely and proactive actions, as well as continuous and collective commitment, from us all.