Hong Kong Loses 3.7 Million Voter Registration RecordsTwo Backup Laptops Stolen from Locked Storeroom
Hong Kong's electoral office has apologized after two laptops were stolen, containing voter registration records along with the names of members of its Election Committee, which picked a new chief executive for the region last weekend.
One laptop held voter registration data including ID card numbers, physical addresses and mobile phone numbers, according to Registration and Electoral Office. The other contained the names of the 1,194 members of the Election Committee, although those are already public.
The REO says the laptops were stored in a locked room at the AsiaWorld Expo, a large conference facility next to Chek Lap Kok International Airport just north of Lantau Island.
"We apologize to the voters for the incident," the REO says. "The REO will inform the affected voters about the incident as soon as possible."
The data was stored in accordance with the "relevant security requirements," including multiple layers of encryption, the REO says. It did not specific what type of encryption was used.
It also did not say how many voters might be affected, but Channel News Asia reported that Hong Kong has 3.7 million registered voters. Hong Kong's Privacy Commissioner for Personal Data has launched an investigation.
On March 26, the Election Committee picked Carrie Lam as the first female chief executive of Hong Kong, which is formally known as the Hong Kong Special Administrative Region of the People's Republic of China. The election happens every five years.
The laptops were part of a backup system for the election. REO says the room, in Hall 7 of the AsiaWorld Expo, was monitored by closed-circuit television. The South China Morning Post reported that the door to the room was locked and required both a passcode and an access card for entry. It doesn't appear the door was forced open.
An anonymous source told the SCMP that the computers themselves were not expensive, leading investigators to believe that the equipment may have been intentionally targeted.
The laptops were left in the storeroom on March 22 and were still there two days later. The theft was discovered on March 27. The computers were taken out of their bags, which were left behind, the SCMP reported.
Hong Kong lead the pack early in Asia in adopting data privacy regulations, according to a white paper published by the law firm Hogan Lovells. The region's Personal Data (Privacy) Ordinance went into force in 1996.
Enforcement, however, lagged behind until a direct marketing scandal in 2010. The PDPO was subsequently amended to require that marketers obtain consumer consent rather than an opt-out scheme. In the ensuing years, Hong Kong's Privacy Commissioner for Personal Data became more active, and fines were increased for mishandling personal data.
"With increased fines, an activist regulator, a policy of 'naming and shaming' those who fail to comply and a growing public interest in data privacy issues, it is clear that PDPO compliance has to be a priority for Hong Kong businesses," according to Hogan Lovells.
Noncompliance with Hong Kong's data protection principles isn't a direct criminal offense, however. But ignoring an enforcement order from the privacy commissioner could result in a fine of HK$50,000 (US$6,400) and two years in prison, according to the office.