Press Releases
Back
9 Jan 2025

URA Responds to PCPD’s Investigation Report

The Urban Renewal Authority (URA) noted that the Office of the Privacy Commissioner for Personal Data, Hong Kong (PCPD) has completed its investigation and issued an investigation report (the Report) today (9 January 2025) on a security incident involving a cloud server platform (the Incident) reported by the URA on 13 May 2024.  The URA will study the Report in details and take appropriate follow-up actions.

The URA acknowledged the investigation findings of PCPD and agreed that had the URA’s technical staff timely updated the version of the software of the e-Form Platform, and used the most updated version when designing the e-forms, or had sufficient knowledge on the setting for “data sharing” of the e-Form software and the cloud platform, the Incident would not have occurred.

Since learning of the Incident, the URA has been handling it in a proactive and responsible manner.  Actions taken included immediately deactivating the vendor’s cloud platform and deleting the relevant data, proactively reporting the Incident to PCPD, notifying the public with a press release, and informing and apologising to individual affected owners and tenants through phone calls and letters. The URA also contacted the local cloud platform service vendor and its overseas head office to understand more about the Incident.  The series of immediate  follow-up actions had ensured no leakage of personal data.

Apart from fully cooperating with the PCPD’s investigation and providing relevant information on follow-up testing environment to help determine the cause of the Incident, the URA also initiated a joint investigation with the cloud platform vendor/contractor, in which the URA came to understand that the default values concerning “data sharing” of the e-Form had been changed to “default off” in the latest version of the software of the e-Form Platform. 

Meanwhile, the URA has implemented a series of measures to strengthen the protection of personal data including:

  • Requesting the cloud platform vendor/contractor to strengthen after-sales services, including timely notification of product feature updates and provision of training and technical support;
  • Reviewing the work guidelines, re-evaluating and optimising the work flow of handling personal data;
  • Appointing an audit firm to conduct a comprehensive information security audit;
  • Engaging a consulting firm to formulate data security policies including those relating to the management and processing of personal data;
  • Strengthening training and security awareness on handling data security and personal data for departments and all technical staff; and
  • Self-developing independent platforms to reduce reliance on third-party platforms, and to minimise impacts from external factors and potential security risks.

The URA will conclude the experience from the Incident and strive to establish a more robust privacy security framework and a corporate culture that values the protection of personal data to minimise the chances of similar incidents from happening. 

(ENDS)

Back