Oxfam Hong Kong data leak: watchdog rules charity violated privacy law
Privacy commissioner says charity failed to take ‘all practicable steps’ to ensure personal data protection
The local arm of international charity Oxfam violated the data protection law following a leak in July that potentially affected 550,000 people, Hong Kong’s privacy watchdog ruled in an investigation report on Thursday.
The Office of the Privacy Commissioner for Personal Data also revealed there had been a nearly 30 per cent year-on-year increase in breach notifications in 2024. It said the number of doxxing cases fell 42 per cent year on year.
“The privacy commissioner considered that Oxfam had not taken all practicable steps to ensure that the personal data involved was protected against unauthorised or accidental access, processing, erasure, loss or use,” the office said in the investigation report about the leak in July last year.
The report said Oxfam Hong Kong had contravened the Data Protection Principle (DPP) 4(1) of the Personal Data (Privacy) Ordinance concerning the security of personal data.
“The threat actor deployed ‘DarkHack’ ransomware in Oxfam’s information systems, resulting in file encryption and data exfiltration. A total of 37 servers and 24 workstations or notebook computers belonging to Oxfam were compromised,” it said.
Privacy Commissioner Ada Chung Lai-ling said she had served an enforcement notice on Oxfam, directing it to take measures to remedy the contravention and prevent recurrence of similar incidents in the future.
