PCPD Finds No Unauthorized Access in Companies Registry Data Breach

The Office of the Privacy Commissioner for Personal Data (PCPD) has found no evidence that the “additional” personal data of over 100,000 individuals affected by a Companies Registry data breach was accessed without authorization or by accident.

The breach compromised the Hong Kong Identity Card (HKID) and passport numbers or addresses of 108,575 company directors. Additionally, it exposed the HKID or passport numbers of 217 disqualified persons, money lender applicants, and third-party appointees, along with the names, phone numbers, or email addresses of 210 money lender contacts.

The incident was discovered on April 18, 2024, during routine checks of the Integrated Companies Registry Information System. The review found that the e-Search Services of the “e-Services Portal” had inadvertently transmitted additional personal data beyond the intended search results.

According to the PCPD investigation, nearly 90% of the affected personal data was already available for public inspection within document images registered with the Companies Registry. However, the data was not directly visible in search results—users would have needed to access web developer tools, a feature rarely used by the general public, to view the information.

In response, the Companies Registry promptly notified all potentially affected individuals, rectified the system design, and engaged an independent third party to conduct a comprehensive review. Additional remedial measures were also implemented to prevent similar incidents in the future.