“We need to ensure that our computer systems have all the necessary security measures in place to protect the privacy of our residents.”
Quat said authorities must investigate the problem caused by human error and take action against those responsible.
He noted that many cybersecurity failures in the government sector are the result of administrative issues or human error, and that simply relying on the government's Office of the Chief Information Officer to provide guidelines is not enough.
“The heads of the relevant departments should be fully aware of this and should not leave things to their own devices,'' he said. “When an employee makes a mistake, you shouldn’t try to protect them or easily assign blame.”
“The Civil Service Authority should order all government departments and their heads to carry out their work properly in terms of cybersecurity and protection of personal privacy,” he said on a radio show.
“If something goes wrong in these departments or systems, or similar incidents occur again, there should be mechanisms for punishment, people to be held accountable, and disciplinary action.”
Last Friday, the Companies Registry announced that a glitch in its digital platform had caused the personal information of around 110,000 people to be leaked, including names, addresses, phone numbers and email addresses, as well as ID and passport numbers.
The Electrical and Mechanical Services Bureau reported the day before that information such as names, phone numbers, ID numbers, and addresses of 17,000 public housing residents who will be required to undergo COVID-19 tests in 2022 has been leaked.
The government's Office of the Chief Information Officer announced on Sunday that it had asked all bureaus and departments to review their computer security and report within a week following the series of incidents.
Kuato told reporters on Monday that repeated breaches are a sign that people in government and public sector organizations, especially executives and IT staff, are not paying enough attention to cybersecurity vulnerabilities and the need to protect personal data. He said that this shows that there is not enough awareness.
She called on authorities to follow up on violations.
“Everyone knows that when a case involves so much personal information from victims and so many residents, there can be serious consequences,” she said on the radio show. “If this information were made public and used maliciously by some people, there could be very serious consequences.”
Francis Fong Pok-kiu, honorary president of the Hong Kong Information Technology Federation, said the Companies Registry should have discovered the flaws before launching the system.
He also warned that the government's new Digital Policy Office would not be a silver bullet for cybersecurity failures.
The creation of the agency was announced in last year's policy speech, along with the merger of the Government's Office of the Chief Information Officer and the Office of Efficiency.
Fong said the government should conduct security audits of existing systems and establish guidelines for all processes involved in the development of IT projects, from issuing bids to receiving finished products.
He called on the government to learn from recent experience and take a more focused approach.
“Currently, Departments A, B, and C basically do not communicate with each other, so they do not know what each other is doing.''
