Last night it was reported that two laptops belonging to the Registration and Electoral Office in Hong Kong were stolen at the AsiaWorld-Expo.
The laptops contained the details of 3.7 million voters in Hong Kong. The data is encrypted, but that certainly does not mean it is safe.
This is one of Hong Kong’s most significant data breaches, with the laptops also storing the names of 1,200 electors on the Election Committee.
The information at risk included names, personal identification numbers and contact information. In a statement, however, it was said that no information indicated the data had been “leaked”.
>See also: Pointing the finger: consumers blame businesses for data breaches
Eduard Meelhuysen, Head of EMEA at Bitglass, commenting on this latest data breach, said: “Of all the data breaches in the headlines, it’s the public sector stories that are the most alarming. Whether it’s the NHS or the Hong Kong Registration and Electoral Office, these organisations need to remember their duty of care, not to mention legal obligations, to protect citizens’ and employees’ data.”
“This means not only keeping sensitive data encrypted, but also controlling where it goes using tools like access control and data leakage prevention. Is it really a business necessity to store the information of millions of citizens on a laptop that’s being taken to a tradeshow?”
A spokesman for the Office of the Privacy Commissioner for Personal Data said it had received “verbal notification” of the case from the electoral office earlier Monday.
“They stressed that the data had been encrypted,” he said. “The case involves a huge amount of personal data. The office is going to launch a probe.”
Election Committee member Fung Wai-wah said: “We had not been told there was a backup centre for the chief executive election,” he said.
>See also: Three experiences another data breach
Another committee member, lawmaker Charles Mok, said he found it “puzzling” that voters’ data had been stored alongside that of committee members.
“Perhaps they didn’t put the voters’ data in a proper place after last year’s legislative elections and then the devices were used for the chief executive election,” he added.
Efe Orhun, managing partner & CISSP at security consultancy, Derivative Technology concluded that an insider familiar with the election’s fallback planning is probably to blame for the leak.
“If this was an insider job, it’s unclear whether the data encryption will be any use because if the culprits are familiar with the fallback procedures, they are likely also familiar with how to access the laptops. And besides, if it was government sponsored, full disc encryption may not be an obstacle either.”