Carousell hack calls for better Hong Kong security and enforcement action
- Lessons must be learned from a privacy breach at an online marketplace that saw details of city users compromised as well as from the probe that followed
From shopping and banking, the internet has made life more convenient. But it has also made us more vulnerable to online scams and privacy leaks, as shown in the rising numbers of reports over the years.
The latest privacy breach involving a popular online marketplace shows there is still room for improvement, not only in terms of compliance, but also in the handling of the case by the statutory watchdog. The need for better safeguards and enforcement cannot be overstated.
It was bad enough when a loophole in the Carousell system resulted in the personal data of 320,000 local users being put up for sale on the dark web. Worse, the incident only came to light last week when the Office of the Privacy Commissioner for Personal Data announced its findings after a year-long investigation.
Describing the violation as “serious”, the office revealed Carousell first reported in October last year that the personal data of 2.6 million users worldwide, including 324,232 from Hong Kong, was being sold online. It included email addresses, phone numbers and birthdays.
According to the report, hackers exploited a loophole in the system migration process that began in January 2022 and stole the personal details in May and June. The problem was only discovered and resolved in September last year while the platform was testing a new feature, but it was determined at the time that the loophole had not been exploited.
The watchdog launched an investigation after the company reported the issue the following month.
A year-long probe concluded that the company had made several errors leading to the hacking, including failing to check whether a comprehensive code review process was carried out, not ensuring there was a thorough security assessment and not having an effective detection mechanism in place.
The watchdog said it was “very disappointed” that the incident revealed “fundamental failures” to ensure the security of the personal data held by Carousell. But the public may feel just as disappointed about the pace of the investigation.
Officials said the probe involved verification of details as well as allowing the company to respond, but conceded that the process had room for improvement. Carousell has been handed an enforcement notice to remedy the situation and take measures to prevent a recurrence by mid-February.
Online platform Carousell violated Hong Kong privacy laws, watchdog finds
Belated as it seems, the action may hopefully create a stronger sense of awareness and compliance among companies.
Previously, there were incidents involving public bodies that fell victim to ransomware attacks because of security failures. The commission and businesses must be aware of their responsibilities.
When it comes to privacy protection, safeguards and compliance go hand in hand with forceful and timely enforcement action.
