In 2018, Cathay Pacific Airways disclosed that the data of 9.4 million customers had been leaked. The number of people and data involved caused a public uproar. While it remains unclear how many people have been affected by the Cyberport data leak this time, the sensitivity of the data and the seriousness of the incident can easily dwarf the Cathay Pacific leak.

According to what is known to the public so far, Cyberport discovered its system had been compromised in the middle of last month, and the hacker group demanded US$300,000. After the deadline for paying the "ransom" expired, Trigona, the international hacker group, put up more than 400GB of Cyberport's data on the "dark web" for people to bid on them, as well as making some of the information public.

Local experts who have viewed the information described the relevant information as more sensitive than expected. It includes not only personal information such as the ID cards, photos, bank account numbers, addresses and phone numbers of Cyberport senior executives and some employees, but also documents about Cyberport's leasing business, personnel records, financial records, etc. Business proposals make up the largest part of the leak, and they involve the names of a large number of companies and corporations. It is believed that the files about "financial technology" alone contain information of more than 200 companies. There is worry about a leak of business secrets, which might allow the governments of other countries or commercial institutions to spy on Hong Kong's innovation and technology development trends, thus putting Hong Kong in a disadvantageous position.

Cyberport has emphasised that it is a victim, but this is not a defence against the criticism. Apart from data security, Cyberport's handling of the aftermath is also problematic in many ways. Cyberport has been vague about the date on which it first discovered the hack, only saying it was "mid-August". It is currently unknown how many days passed before it reported the data breach to the Office of the Privacy Commissioner for Personal Data (PCPD) on 18 August. However, it is certain that Cyberport issued a press release announcing the incident on 6 September, having delayed doing so for over two weeks.

In recent years, many countries and regions have been pressing ahead with legislation to require companies and corporations to report data leakage incidents as soon as possible. A hefty fine is levied if the regulations are violated. In Hong Kong, the PCPD proposed amending the law to mandate that data breaches must be reported as early as 2007, but the proposal was rejected in the end "to avoid placing a heavy burden on organisations". Currently, the authorities still operate a toothless mechanism of "voluntary notification". The fact that Cathay Pacific did not announce a hack, which had happened in early 2018, until October of the same year is a damning indictment of the problem.

A few years ago, the PCPD revisited the matter and proposed amendments to the legislation. Still, nothing happened in the end. The SAR authorities might be worried that mandatory notification would increase corporations' expenses on network security, heighten their legal liabilities and trigger a backlash from the business community. However, if information security issues are still not taken seriously now, it will hinder the development of innovation and technology in Hong Kong. The SAR government must muster the determination and press ahead with the amendment.

明報社評2023.09.15： 數碼港疏忽泄資料 恐拖「數據過河」後腿

數碼港電腦系統上月遭黑客入侵，逾400GB數據近日在「暗網」公開，當中不乏敏感資料。

2018年，國泰航空公布940萬名客戶資料外泄，牽涉人數及資料之多，更令外界嘩然。今次數碼港資料外泄，受影響人士有多少，暫時仍不清楚，惟論資料敏感度及事件嚴重性，比起國泰泄密事故，隨時尤有甚之。

綜合目前外界所知，數碼港上月中發現系統被入侵，黑客勒索30萬美元。支付「贖金」限期屆滿後，國際黑客組織Trigona將數碼港逾400GB數據放上「暗網」拍賣，並公開部分資料。

有本地專家看過後形容，相關資料較預期更為敏感，除了有數碼港高層和一些員工的身分證、相片、銀行帳戶號碼、住址及電話號碼等個人資料，還有數碼港租務、人事及財務紀錄等文件，最多的是計劃書，涉及大批公司和機構的名字，單是關於「金融科技」的檔案，相信就有超過200間公司的資料，擔心商業機密泄漏，其他國家政府或商業機構或可從中窺探本港創科發展動向，於港不利。

數碼港強調自身是受害者，但這並不是堵住批評的擋箭牌。除了數據保安，數碼港事後處理，同樣有不少問題。數碼港對於首度發現遭黑客入侵的日期，一直是含糊其辭，僅說是「8月中」，跟8月18日向私隱專員公署通報資料外泄，究竟相隔多少天，目前並不清楚，但可以肯定是數碼港拖了超過兩周，才於9月6日發新聞稿公布事件。

近年不少國家地區都在推動立法，強制企業和機構必須盡快通報資料外泄事件，一旦違規可予重罰。在香港，私隱專員公署早於2007年已提議修例，強制通報資料外泄，惟有關建議最終被否決，原因是「為免對機構造成沉重負擔」。時至今日，當局仍奉行軟弱無力的「自願通報」機制。國泰2018年初遭黑客入侵，竟可拖至同年10月才公開，正正突顯問題所在。

數年前，私隱署曾舊事重提，建議修例，結果依然沒有下文。特區當局也許擔心，強制通報會增加企業網絡保安開支及法律責任，或會惹來商界反彈，但現在還不認真搞好資訊安全問題，將妨礙本港創科發展。特區政府必須拿出決心，推動修例。

■ Glossary 生字 /

ransom : money that is paid to somebody so that they will set free a person who is being kept as a prisoner by them

mandate : to order somebody to behave, do something or vote in a particular way

muster : to get enough courage, confidence, support etc to do something, especially with difficulty