The Hong Kong fire department uncovered a recent breach in its computer system that exposed the personal information of over 5,000 department personnel and hundreds of residents. The Hong Kong Fire Department data breach, the third incident involving government data in less than a week, stems from an unauthorized change in privileged access rights during a data migration procedure by an outsourced contractor, according to a statement from the Fire Services Department (FSD).
The Hong Kong Fire Services Department is an emergency firefighting government service that conducts rescue operations on land and sea. The department is also responsible for providing emergency ambulance service for sick and injured as well in providing fire protection advice to the general public.
However, there is no evidence that the leaked data from the Hong Kong Fire Department data breach had been published online.
Systems Suspended Following Hong Kong Fire Department Data Breach
Following the discovery of the intrusion, the fire department suspended the affected system and launched an investigation along with the third-party contractor. The department immediately revoked the contractor’s access rights to prevent further data leakage and implemented enhanced security measures to prevent similar incidents.
The compromised data included the last names and phone numbers of approximately 480 individuals who reported tree collapse incidents during the Super Typhoon Saola in September 2023. Additionally, personal details such as names, phone numbers, and ranks of around 5,000 FSD staff were at risk, with 960 personnel having their incomplete identity card numbers exposed in the breach.
Details regarding the breach were notified to the relevant authorities including the Police, Security Bureau, Privacy Commissioner for Personal Data, and Government Chief Information Officer.
“The FSD believes that the incident happened when the outsourced contractor handled the data migration procedure. During the process, the access right of the data was found altered without authorisation, posing a potential risk of data leakage,” a Fire Services Department spokesperson stated.
The Hong Kong Fire Services Department apologised for the incident and notified those affected through text messages or phone calls. However the department assured the public that there was no evidence that the data had been leaked as of yet.
Data Breach Follows Two Cyber-Incidents within the Same Week
This Hong Kong Fire Department data breach follows similar data breach incidents involving the Electrical and Mechanical Services Department (EMSD) and the Companies Registry last week, where data stored on their servers had been compromised. Lawmaker Elizabeth Quat who heads the Panel on Information Technology and Broadcasting has called for improved data security measures and a punishment mechanism for future incidents and similar blunders.
The Electrical and Mechanical Services Department (EMSD) system glitch last Tuesday allowed for unauthorized access to the names, telephone numbers, identity card numbers and addresses of around 17,000 individuals through the server platform without requiring a password.
The Companies Registry stated last Friday that security flaws in its online e-Services Portal developed by a third-party contractor resulted in the transmission of additional personal data beyond what was requested by the client computer during searches.
While this additional data was not displayed directly, it could be obtained through the use of web developer tools. The additional data was estimated to affect about 110,000 data subjects and included their names, full passport numbers, identity card numbers, residential addresses, telephone numbers and email addresses.
The city’s privacy watchdog reported a significant increase in data breach notifications last year, signaling a growing concern for data protection. In a recent case involving Cyberport, a government-owned tech hub, the watchdog identified lapses in security audits and unnecessary retention of personal data, highlighting the need for better oversight in handling sensitive information.
The string of government-related data breaches highlights the possibility of security weaknesses introduced through dependence on external third-party contractors. This weakness remains a major problem globally as observed in the recent incident UK Ministry of Defense data breach stemming from an external payroll provider.
Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.