CSD announces IT system security incident
*****************************************
After a preliminary investigation, the CSD believes that the incident involved an illegal access to the internal Knowledge Management System by a hacker, through which the hacker then illegally accessed another IT system maintaining personal data of CSD staff. Relevant data includes names, genders, dates of birth, academic qualifications, information of employment history in the CSD and email addresses. The incident involved about 6 800 serving and departing CSD staff.
The CSD has taken immediate actions after the incident, including isolating the internal Knowledge Management System, notifying users to change passwords, thoroughly reviewing all systems under the Department's purview and activating back-up procedures, as well as requesting the outsourced service provider to commence an investigation. The Department has at once reported the incident to the Police, the Security Bureau, the Office of the Privacy Commissioner for Personal Data (PCPD) and the Digital Policy Office (DPO).
Although no evidence indicating that relevant data has been leaked, the CSD has started informing all possibly affected individuals of the situation for prudent sake. In case of suspicious circumstances, they should report to the Police as soon as possible.
The CSD is very concerned about the IT system security incident. The Department is consulting the PCPD and the DPO, with a view to conducting a comprehensive review of the incident and taking further enhancement measures for personal data protection to prevent recurrence of similar incidents.
Ends/Friday, March 27, 2026
Issued at HKT 23:41
Issued at HKT 23:41
NNNN