Skip to content

Something urgent? Call us now! (852) 3416 1711

Ally Law
Boase Cohen & Collins
Blog

Data leak highlights security flaws

By Claire Chow

Hong Kong, 29 December 2023: Organisations have been reminded by the Privacy Commissioner to implement robust data protection measures after popular online marketplace Carousell suffered a “serious” leak of users’ personal information in January last year. After investigating the incident, Hong Kong’s privacy watchdog has published a report which includes a list of recommendations designed to prevent such data security lapses.

Carousell is a Singapore-based retail platform for the buying and selling of new and second-hand goods. It operates in its home city plus Hong Kong, Malaysia, Indonesia, the Philippines and Taiwan, with tens of millions of users. In October 2022 it discovered that the personal data of 2.6 million users – including almost 325,000 in Hong Kong – was being sold on the dark web. It immediately informed the Privacy Commissioner and the affected customers.

The platform said the data breach was caused by a security vulnerability that was introduced during a system migration in January 2022. Hackers accessed and stole the information – including email addresses, phone numbers and birthdays – during the following May and June. The stolen information could allow criminals to directly contact victims, or steal their identity to scam others, or access other accounts belonging to them.

After completing her investigation, Privacy Commissioner Ada Chung listed five deficiencies causing the leak: failure to conduct a privacy impact assessment prior to the system migration; incomprehensive code review process; inadequate security assessment associated with the system migration; lack of a written policy in relation to the code review process; and lack of effective detection measures.

Considering Carousell’s extensive international operations and the vast number of active users it serves, Ms Chung said it was “reasonable to expect that the Carousell Group, including Carousell Limited in Hong Kong, would have invested sufficient resources in ensuring the robust security of its information systems”. However, the incident revealed “fundamental failures” to ensure personal data security. She observed that the leak “could have been avoided if some normal risk and security assessment procedures and tools had been implemented”.

The Privacy Commissioner concluded that Carousell had not taken all practicable steps in relation to the system migration to ensure that the personal data was protected from unauthorised or accidental access, processing, erasure, loss or use, thereby contravening Data Protection Principle 4(1) of the Personal Data (Privacy) Ordinance (Cap 486) (the “PDPO”).

She has served an Enforcement Notice on the platform, directing it to remedy and prevent recurrence of the contravention. Steps it must take include engaging an independent data security expert to review its web and mobile applications, conducting security assessments and improving data protection training for all staff. Carousell has two months to provide documentary proof that it has implemented the measures.

As part of her report, Ms Chung has made the following recommendations on strengthening security to organisations which may perform information system migration involving personal data:

  • Carry out privacy impact assessments, especially when significant changes are made to systems;
  • Develop a migration plan that prioritises data protection;
  • Conduct effective vulnerability assessments;
  • Provide relevant employee training;
  • Implement an effective mechanism for detecting abnormal activities; and
  • Formulate localised policies and procedures to ensure compliance with the PDPO.

In addition, given that the Carousell Group is based in Singapore, the Privacy Commissioner has shared her report with Singapore’s Personal Data Protection Commission in accordance with a Memorandum of Understanding between the two bodies.

The report is a timely reminder that data leaks and other cyber security breaches are increasing worldwide, leaving individuals and organisations exposed not only to immense inconvenience but also reputational damage, financial loss and potential legal consequences. Robust safety systems help maintain sound business relationships, increase public confidence and reduce the risk of litigation.

Claire Chow is an Associate with BC&C, having joined the firm in 2019. She covers a broad range of practice areas including Civil and Commercial Litigation, and Judicial Review. She can be contacted at Claire@boasecohencollins.com.

39+ years of legal experience is just a click away.

Friendly and approachable, we are ready to answer your questions and offer you sound advice.

Contact us now

BC&C-contact-us

News & Knowledge

Learn more about what we do and what we say. Subscribe to our newsletter to ensure you receive our updates.

  • This field is for validation purposes and should be left unchanged.

Beauticians and their duty of care

By Teresa Leung Hong Kong, 20 November 2024: Can you sue a beautician if your treatment goes wrong? The answer – as you might expect, given that Hong Kong’s “medical beauty” industry remains largely unregulated – is hardly straightforward, but is worth exploring. After all, our city is seeing an increasing number of criminal prosecutions […]

Read more

Carrian saga provides a trip back in time

Hong Kong, 19 November 2024: The biggest corporate corruption case in Hong Kong’s history, the Carrian Scandal, was revisited when our Senior Partner Colin Cohen gave an entertaining talk to the Rotary Club of Wanchai. His presentation offered the audience a first-hand account of how Carrian, a rags-to-riches conglomerate, collapsed in 1983 amid revelations of […]

Read more

Old habits and an escalating problem

Hong Kong, 13 November 2024: In a fast-moving world, Akshinthala Seshu Babu has made his name by being anything but. The tenacious Indian holds the world record for remaining motionless, clocking a remarkable 35 hours without twitching a muscle, all while dressed up as his hero Mahatma Gandhi. “I want to spread Ghandi’s message about […]

Read more

Focus on AI at Gold Coast gathering

Hong Kong, 11 November 2024: The impact of artificial intelligence on the legal profession was examined when our Senior Partner Colin Cohen and Managing Partner Alex Liu attended Ally Law’s Asia Pacific Conference in Australia’s Gold Coast. Themed “AI & Authenticity”, the gathering examined how the rapid advance of AI is now helping law firms […]

Read more

Window of opportunity for insurers

By Jeffrey Chan, Leann Au and Waverly Chan Hong Kong, 7 November 2024: The plight of tenants living in subdivided units (“SDUs”) has long been a pressing problem in Hong Kong. Currently, some 220,000 people reside in the city’s 110,000 SDUs, many of which offer undesirable living conditions, including limited space, inadequate fire safety and […]

Read more
See all news and knowledge
Ally Law