Order to remove personal data from public clouds after leaks

All government offices and departments have been asked to remove all sensitive and personal information from public cloud servers and contact the Chief Information Officer of the Office of the Government within a week due to the government's recent data leaks.

This came after the Department of Electrical and Mechanical Services discovered that a server storing the personal data of around 17,000 citizens collected during the mandatory Covid-19 lockdown between March and July 2022 was accessed without input can be accessed using passwords.

The information included names, phone numbers, ID numbers and addresses – but these were not downloadable.

The EMSD said it asked the service provider of the online server platform to remove the data and reported the leak to the OGCIO, the police and the security office.

The information breach is also being investigated by the Personal Information Commissioner's Office, with Data Protection Commissioner Ada Chung Lai-ling saying last Friday that whether the leak occurred as early as 2022 or recently was also one of their lines of inquiry.

She recommended that relevant government departments conduct a comprehensive review to determine whether the data stored on their servers has been leaked.

A day later, the commercial register announced that it had disclosed data of around 110,000 people in the past month, including their names, full passport and ID card numbers, addresses, contact numbers and email addresses.

The registry said on April 19 only that urgent maintenance was required because it had identified a risk of loss of personal data in the e-search services of its E-Services portal – a single integrated online platform to facilitate searches for registrants Information from companies and entities managed by the register – and that it has not received any notification of loss of personal data. However, after an investigation, the registry found that people may be receiving additional personal information if they use a web development tool or a “robot search” that collects the personal information of around 110,000 people – mostly company executives.

In response to recent data leak incidents, the OGCIO stated that it attaches great importance to information security breaches in government departments and public institutions, especially those involving the loss of personal data.

In addition to providing technical support, the office reminded all department users and systems that they must “strictly comply with government data security rules, policies and guidelines when handling sensitive and personal information.”

In response to media queries, at least 14 government departments said they had already deleted personal data collected during the lockdown.

[email protected]