“They must ensure that the computer systems have all the necessary security measures and that the privacy of residents can be protected.”
Quat said authorities must investigate problems caused by human error and take action against those responsible.
Many cybersecurity failures in government departments were a result of management issues or human error, she said, noting it was not enough to simply rely on the Office of the Government Chief Information Officer to provide guidelines.
“The head of the department that is responsible should have enough awareness and not leave things to chance,” she said. “When their employees make mistakes, they should not try to protect them or let them off the hook easily.”
She earlier told a radio show: “If these departments or systems have issues or similar incidents occur again, there should be a punishment mechanism, a person to be held accountable and disciplinary action.”
The Companies Registry said on Friday last week that personal information – including names, addresses, telephone numbers and email addresses, as well as identity card and passport numbers – of about 110,000 people had been leaked because of a fault in its digital platform.
The Electrical and Mechanical Services Department a day earlier also reported that information on 17,000 public housing tenants required to take Covid-19 tests in 2022, including their names, phone numbers, ID numbers and addresses, had been compromised.
The Office of the Government Chief Information Officer said on Sunday that it had asked all bureaus and departments to review their computer security and report back within a week following the series of incidents.
Quat said on Monday the repeat breaches showed that those in the government and public bodies, particularly management and IT staff, did not pay enough attention to or have sufficient awareness of cybersecurity vulnerabilities and the need to protect personal data.
She urged authorities to follow up on and investigate the breaches.
“Everyone can see that when a case involves so much personal information from victims and so many residents, the consequences can be severe,” she said on the radio show. “If this information is revealed and it is used maliciously by some people, the results can be very serious.”
Lawmaker Lai Tung-kwok, a member of Legco’s security and public service panel, said the government had its own mechanism for dealing with civil servants including senior officials if they made mistakes on the job.
Francis Fong Po-kiu, the honorary president of the Hong Kong Information Technology Federation, said the Companies Registry should have spotted the faults before launching its system.
He also warned that a new digital policy office to be set up by the government would not be a silver bullet for cybersecurity failures.
The creation of the body was announced in last year’s policy address with the merging of the Office of the Government Chief Information Officer and the Efficiency Office.
Fong said the government should conduct security audits for its existing systems and establish guidelines for all processes involved in the development of IT projects, from issuing tenders to receiving the finished product.
He urged the government to learn from the recent experience and take a more centralised approach.
“The current situation is that department A, department B and department C basically do not communicate with each other, so they do not know what one another is doing,” he said.
