Suspected theft of Immigration Department computers

18 Oct 2012

The Immigration Department said today (October 18) that the suspected theft of three notebook computers, which were used in immigration control at Airport control point, had been reported to the police. As personal data of visitors was kept in the computers, the Office of the Privacy Commissioner for Personal Data (PCPD) had been notified of the data breach.

An Immigration Department spokesman said, "The Airport Division received the loss report on October 17 involving three notebook computers which were used in immigration control. As theft was suspected, the case was referred to the police today. The department will fully support the investigation.

"According to our preliminary assessment, the personal data from travel documents of about 3 000 visitors are involved. No Hong Kong residents are among these passengers. The notebook computers lost belong to a stand-alone computer system which is not connected to any major computer systems of the department. Therefore, the case will not affect other computer systems of the Immigration Department. Moreover, the data in the computers has been encrypted, and log-in to the system is only possible after multiple authentication by using the registered user name and password. With such security measures in place, the access to the encrypted data is highly restricted, and it is unlikely that the said data will be compromised. In view of the fact that the data collected in the lost notebook computers does not include means of contact, the department will further explore how to follow up with individual visitors who are affected by the case," the spokesman added.

"Immediately after the incident, the department further strengthened the security measures of the computer system by resetting all user passwords, and updating and replacing e-tokens. Regarding the lost notebook computers, we have updated the settings of the system server to prevent the uploading of any information through these lost computers to other computer systems of the Immigration Department. Meanwhile, we have reminded the frontline staff to strictly adhere to the departmental guidelines on system security and practice, and step up security management of all personal data to ensure the proper handling and protection of such data."

On the other hand, a special task force headed by the Deputy Director of Immigration has been formed, which is tasked to conduct a comprehensive review of the security position of all mobile devices with personal data, and submit a report to the Director of Immigration within three months with recommendations on how to prevent the recurrence of such incident. The Immigration Department will also consult the PCPD on the recommendations.

"The Immigration Department takes the protection of personal data privacy very seriously, and has laid down clear internal guidelines and control mechanism to ensure that personal data is kept in compliance with the Personal Data (Privacy) Ordinance and other relevant laws and ordinances. Staff is also regularly reminded to handle personal data with care according to the relevant provisions and requirements. If the incident involves any negligence or mishandling, we will seriously handle the matter as appropriate. While this case is believed to be an isolated incident, the department will review the current handling procedures to ensure effective protection of the personal data collected as advised by the special task force," the spokesman reiterated.