Incident Details
Popular online marketplace Carousell violated Hong Kong's privacy laws, a watchdog said on Thursday, following the discovery of the personal data of more than 320,000 local users available for sale on the dark web. The Office of the Privacy Commissioner for Personal Data announced the findings from its investigation into the leak, which the platform reported in October last year, calling the incident serious given its scale.
Incident
How Did the Breach Happen?
The breach happened due to a loophole in Carousell's system migration process that began in January 2022. Hackers exploited this loophole in May and June of the same year to steal personal information which was not available to other users. The issue was discovered and resolved in September 2022 during the platform's testing of a new feature.
What Data has been Compromised?
The personal data of more than 320,000 local users was compromised. The leaked information includes email addresses, phone numbers, birthdays, birth months, and years.
Why Did the company's Security Measures Fail?
The company's security measures failed due to several errors. These include failing to check whether a comprehensive code review process was carried out, not ensuring a thorough security assessment, and not having an effective detection mechanism in place.
What Immediate Impact Did the Breach Have on the company?
The breach had a significant impact on the company. It violated Hong Kong's privacy laws and resulted in the personal data of over 320,000 users being available for sale on the dark web. The Office of the Privacy Commissioner for Personal Data served an enforcement notice to Carousell to ensure remediation of the situation and prevention of its recurrence.
How could this have been prevented?
This breach could have been prevented by implementing general risk and safety assessment measures during the system migration process. Conducting a comprehensive code review, ensuring a thorough security assessment, and having an effective detection mechanism in place would have helped to identify and address the loophole.
What have we learned from this data breach?
This data breach highlights the importance of robust security measures and proactive risk assessment in protecting the personal data of users. It serves as a reminder for companies to prioritize the security of their systems and regularly evaluate and update their security measures.
Summary of Coverage
Popular online marketplace Carousell violated Hong Kong's privacy laws when the personal data of over 320,000 local users was leaked and made available for sale on the dark web. The breach was a result of a loophole in the platform's system migration process, which hackers exploited to steal personal information. The breach had a significant impact on the company, leading to a violation of privacy laws. It underlines the need for strong security measures and proactive risk assessment to prevent such incidents.