URA Follows up on Vendor’s Cloud Server Platform System Security Incident

In view of the recent online server platform system security incidents involving a cloud server platform provided by an IT services vendor which the Urban Renewal Authority (URA) has also subscribed to, it has recently found that some personal data stored on the vendor’s cloud server platform might carry the potential risk of a data breach.  The URA has immediately deactivated the vendor’s cloud server platform, deleted the relevant data and reported the incident to the Office of the Privacy Commissioner for Personal Data, Hong Kong.

The incident involved the URA’s Nga Tsin Wai Road / Carpenter Road Development Scheme (the Project) of Kowloon City which commenced property acquisition at the end of last month.  On 30 April, the URA sent letters to affected owners, tenants and shop operators of the Project, inviting them to attend briefing sessions on the property acquisition offers.  The recipients could access the designated online registration form (the online form), stored on the vendor’s cloud server platform, via a QR code printed on the letters to fill in the session which they preferred, and update their latest contact telephone numbers. Such information together with the names and addresses of the recipients were stored on the vendor’s cloud server platform. 

When preparing the online form, the URA has conducted multiple security checks and introduced security measures to restrict access to the data.  Only authorised persons are allowed to use or read the data stored at the specific interface of the vendor’s cloud server platform by logging in to their designated accounts with correct passwords.

The URA conducted a detailed examination since 3 May and found that the cloud server platform allowed users to access the specific interface and browse the data from the online form via an option in the internal data layer without the need to log in the account with the password.  But the data can only be viewed but could not be directly downloaded.  The incident involved the personal data of approximately 200 residents or shop operators who completed the online forms between 2 and 3 May.

To the URA’s understanding, there is no evidence of data having been disclosed as the search for information at the internal data layer of the specific interface falls within the domain of a specific area of expertise.  The URA stresses that there is no direct connection between its internal IT system and the vendor’s cloud server platform. The URA expresses sincere apologies to the 200 affected residents who had submitted the online forms, and will notify them individually to give an account on the incident.

(ENDS)