PCPD: two retailers breach personal data of nearly 140,000 people
發佈日期: 2025-08-21 19:54
TVB News
The Office of the Privacy Commissioner for Personal Data, or PCPD says investigations found two data breach incidents, involving two retail groups.
Nearly 140,000 customers and employees' personal data were stolen by hackers.
The privacy watchdog says some of the information was disclosed in the Dark Web for illegal use.
One of the companies that encountered exfiltration of personal data is Adastria, a Japanese multinational corporation in fashion retail in Asia.
In Hong Kong, Adastria's companies include "niko and ...," LOWRYS FARM, and other brands.
In November 2024, the company told PCPD that it received complaints from four customers.
They were asked about their bank account information by someone impersonating an Adastria's employee on the phone.
Adastria later found out the personal data of some 59,000 customers were leaked and was made available for download in the Dark Web.
Upon investigation, the privacy watchdog found Adastria's password management was weak, and did not have multi-factor authentication for access to accounts.
PCPD says the deficiencies contributed to security vulnerabilities in the computer system, where a hacker was able to gain access and downloaded the information, including customers' names, telephone numbers and order information.
Privacy Commissioner Ada Chung said, "given that Adastria is a well-known multinational fashion group and holds a large volume of personal data of customers, I regret to note the company's lack of awareness of data security and the absence of proper measures to protect personal data in its possession."
Another incident involves My Jewelry and its parent company Kwong's Art Jewellery, in which the data of 75,000 customers and 4,400 employees were exposed.
PCPD's investigation found a hacker gained access to the company's information system through the account of a former employee who left 13 years ago.
The watchdog believes the company should have deleted the former employee's account in a timely manner, and implemented additional protective measures for regular monitoring of the activities in the system.
The privacy commissioner also said organisations should recognise that personal data are valuable assets.
She also said they should allocate sufficient resources on cyber security in order to protect personal data.
