‘Scripting error’ at Hong Kong’s HK Express allowed customer to access private data
Case is one of eight data leaks revealed by city’s privacy watchdog, all caused by negligence in following established procedures
HK Express, the budget carrier of Hong Kong’s Cathay Pacific Airways, mistakenly directed a customer to log into another’s account due to a “scripting error”, enabling him to access the other person’s personal information including birth date, according to investigations by the privacy watchdog.
That case and seven others revealed on Monday by the Office of the Privacy Commissioner for Personal Data included one involving CJ Plus Insurance, which sent documents printed on recycled paper that contained résumés and copies of Hong Kong identity cards.
“In the digital age, organisations have generally strengthened their awareness and capability in protecting personal data,” Privacy Commissioner Ada Chung Lai-ling said.
“While most [of the eight] cases affected relatively few individuals, these incidents serve as a reminder to the public that information security risks can arise from any work process.”
Chung said all eight incidents – including one concerning the government’s Transport Department – involved negligence in following established procedures to prevent data leaks and were reported between October 2023 and November 2024.
They were found to have contravened the requirements under the Personal Data (Privacy) Ordinance, such as by using personal data for a new purpose and not taking sufficient practical steps to prevent a data leak, the office said.