Webb-site Reports

Webb-site.com editor David Webb blew the lid on a huge leak of data on complaints against the Police. More than two weeks on, the silence from the Government and IPCC offers no comfort to the victims, who could sue for injury to their feelings. We recount the discovery and call for an independent panel of inquiry into the bigger issue of data security across all HK Government organisations.

Government Data Security - the IPCC Case
28 March 2006

How we found it

Around 2 a.m. on 9-Mar-06, your humble editor was doing a bit of late night research on the Hong Kong residential property market. He typed the street address of a property into Google, hit the enter key, and among the links returned was a huge text file containing the address, name, age, gender, ID number and a series of other data columns on around 20,000 people in Hong Kong.

After a few minutes of browsing the site, which contained a directory structure and hundreds of other files, it became obvious that we were looking at a copy of a database maintained by either the Independent Police Complaints Council (IPCC) or the entity it oversees, the Complaints Against Police Office (CAPO), which itself is part of the Police and handles all incoming complaints against the police. Yes, that's an obvious conflict of interest, but don't get us started on that one. CAPO should really be separate from the Police, but it isn't.

The database contained complaints made from 1996 to 2004. As you would expect in such a database, it wasn't just information on the complainant that was compromised, but also the name, age, gender, rank and station of the police officers against whom the complaints were made, and specifics of the complaint and the outcome, including any action taken against the officer, up to dismissal. Other index tables seemed to record the occupation of the complainant, their educational attainment, and whether they had a criminal record. Also, if the complainant had been charged with an offence, then the type of offence was recorded, and the outcome of the prosecution, including the type of sentence.

One table seemed to classify nationality into either Chinese, Mainlander, Vietnamese, Filipino, Pakistani or Others. Complaints were also categorised into causes (presumably the cause was concluded after investigation), including "tactical complaints" and "political complaints" - imagine who gets that category.

It was obvious from the files that it wouldn't take long for anyone with some basic understanding of databases to reassemble the whole thing. It was also obvious from the location of the files, in a directory with a person's first name on it, which in turn was on a commercial server of a company with normal trading business, that this was not a police or IPCC server which had accidentally been opened up. At that early stage it was clear that two things had happened. First, somebody, acting with or without permission, had copied the database from what should be a secure IPCC or police server and put it on the commercial server, and second, that server had at some point become open to the public.

Not knowing the source of the leak, we had to allow for the possibility that it was caused by an employee or consultant of either CAPO or IPCC, so we thought it might be wrong to report it to the police themselves. An outside agency should be involved, one with investigatory powers. So we sent off an e-mail to a contact at the ICAC, and then, somewhat tired, went to bed.

Later that day, the ICAC came back to us and told us that an investigation was underway (the following day, we were told it had been referred for investigation to the technology crimes unit of the Police). We were concerned that, given the sensitivity of the situation, the authorities might be tempted to try to suppress or downplay the story. So in order to corroborate it, we gave an exclusive to the South China Morning Post late that afternoon. Readers with long memories might recall that the last time we did this was when we discovered that Kroll was investigating us for our critical coverage of the Cyberport, back in 1999.

The team over at SCMP pulled out all the stops and ran the story on the front page the next day, Friday 10-Mar-06. By the time they went to press, they had contacted the company which hosted the server, and the files had all been deleted, although the rest of the server was still there. Unfortunately, SCMP published the domain name of the server, and this allowed anyone who knew how to do advanced searches on Google (restricted by domain) to find copies of all the files in Google's cache relatively easily. As a responsible citizen, we didn't tell any other media organisation how to find the files, but by the end of Friday, some of the more internet-savvy journalists had figured it out. It was almost 3 days before the authorities managed to get Google to delete the cache files, on the early evening of Sunday 12-Mar-06.

The Government response

Update 8-Apr-06: in the original version of this article, we stated that we were unable to find any information on the IPCC web site regarding this incident. We looked, naturally enough, at the p ress releases page, which still has nothing on it. However, the site now has another press releases page, one layer under "What's New". That is where you will find information on the incident and on a hotline for complaints (2524-3841). Whoever is designing their web site needs a lesson in user friendliness.

The only thing the Government has published itself was an article on 10-Mar-06 on their propaganda site news.gov.hk, stating that an investigation has been launched by the IPCC and by the Office of the Privacy Commissioner, Roderick give-me-some-teeth Woo. On Saturday morning, 11-Mar-06, the IPCC held a press conference, but no press release was issued on the Government web site, so all we have to go on is media reports that the non-executive body had asked its full-time staff for a report.

The Privacy Commissioner, to his credit, has been somewhat more active, putting out an initial response on 10-Mar-06 and then announcing a probe on 13-Mar-06. At the end of that announcement, you will find important advice:

"according to Section 66 of the Personal Data (Privacy) Ordinance, any citizen who suffers damage, including injury to feelings, from this incident are entitled to civil compensation from the data user." (our bold)

So if you have ever made a complaint against the police, or if you are a police officer who has been complained about, then even if you cannot prove any financial loss, you should consider taking legal action against the IPCC and/or the Government for the emotional distress or "injury to feelings" caused by the leak of your data. Have you been losing sleep at night? You may not even need to pay a lawyer for this - if you start at the Small Claims Tribunal, for civil damages up to $50,000, then it doesn't allow legal representation, although you may end up in the Court of First Instance on appeal.

Clearly the Government knows this, and that's probably why you've seen nothing in writing from the IPCC stating their position or saying "sorry". They don't want to open the floodgates to litigation. They are somewhat fortunate that Hong Kong does not allow class actions and contingent legal fees, because otherwise there would be lawyers willing to represent the entire class of victims and sue for damages, on behalf of all 20,000 victims.

How did it happen?

In our view, the Government will not escape blame in this episode. The IPCC secretariat apparently allowed its data to be taken off-site by a consultant, reportedly for the purpose of conversion of the database from one format used by COPA to another used by the IPCC. The person who worked for the consultant then reportedly left the consultancy, and took the data with him, storing it on the commercial server. An alternative explanation might be that the consultancy outsourced the work to him.

Press reports on a Legislative Council Security Panel hearing on 17-Mar-06 indicate that the consultancy contract did not include any provision for security of the data. If so, then that's outrageous. What we know, from media reports so far, is that the contract was with EDPS Systems Ltd (EDPS). Their web site is inactive, but don't worry, here's a copy from archive.org of what it looked like on 9-Mar-05. According to that:

"From as early as 1977, EDPS has been one of the major suppliers of contract manpower to the Hong Kong Government and large corporations."

The Government on 25-Jul-05 awarded 3-year "standing offer agreements" to EDPS and 9 other companies. We don't know which other departments' contracts EDPS is or was working on.

The domain where the data was hosted, china2easy.com, is registered to a company called De Motif Limited, although that company was dissolved on 23-May-03. Click here to see what china2easy.com looked like on 5-Feb-05 (be patient, the archive is slow). It shows that another company, China Motif Ltd (China Motif), was now associated with the domain. So it appears that the web site was functional at least up to 5-Feb-05, and became dysfunctional and open to the internet at some time after that.

A quick search at the Companies Registry tells us that China Motif has 3 shareholders, including 20% held by a director, Heung Yam-ling, the person identified by media reports as Kirren Heung, the former employee of EDPS.

Remedial action

Your editor has in fact been the subject of another possible data leak recently. The case took place in America, where the laptop of an Ernst and Young (E&Y) employee was stolen from a locked car. Although the laptop required a password to use it, E&Y did not claim that the hard drive itself was encrypted, so if it wasn't then anyone determined enough could have read the files directly off the drive. The Register reports that Sun Microsystems CEO Scott McNealy's data was also on the drive. Your editor received a Valentine's day letter from E&Y, informing him of the incident, and offering to place a "fraud alert" with the 3 major US credit bureaus to alert creditors of the risk of identity theft, and offering free credit monitoring for the next year. E&Y also set up a call centre to field queries on the incident. E&Y knows they have exposed themselves to potential litigation, and they are doing the right thing by seeking to mitigate the damage with these remedial measures.

That kind of response is what the IPCC should have done, and can still do. They should write to every complainant whose personal data was published, explain what happened and offer them free credit monitoring at Government expense for at least a year. They should also offer a change of identity number, although many may choose not to change it, since it leads to all sorts of updating requirements with banks, employers, insurers and so on. The longer they delay and prevaricate, presumably consulting lawyers on their potential liability, the more distress they will cause to those whose data were released.

What else could go wrong?

This is undoubtedly the worst breach of data privacy in Hong Kong's history. 30 years ago, it would have been almost impossible to remove this much data from any government department, because almost everything was kept on paper or large mainframe computers. Today, the entire tax assessment and payment records of every tax-payer in Hong Kong would comfortably fit on a 60GB iPod hard drive, and you'd probably have room for their immigration movements and driving licence details left over.

The implications of this case reach far beyond the IPCC, which is just one of hundreds of government-related organisations. The Government should establish an expert panel of inquiry to investigate:

Are there uniform standards of electronic data security across all government departments and organisations, including quasi-independent organisations such as the ICAC and SFC?
Do these standards prevent any single rogue employee, or consultant, from removing data from secure government facilities, without express permission?
If data are to be removed from secure government facilities, then are the data subject to adequate protection, including encryption and dual-key access to machines, so that no single consultant can copy the data?
Are those security arrangements audited before the data are released to a consultant?
Do consultants give contractual undertakings for data security?
Are consultants prevented from sub-contracting or outsourcing the work, and the data, to third parties?

Pending such a report, which should be published in full, the Government should put an immediate stop on all consulting contracts which involve off-site data work until these issues can be addressed. It is obviously too easy at present for an employee of a consultant to simply leave and take the data with him.

The Government has a duty to protect the personal data it holds on all of us, and steps must be taken to ensure that such a loss never happens again. They cannot treat this as just an isolated incident. It is a wake-up call, and changes must come from it.

Topics in this story

Government policy - general

Recommend Webb-site to a friend

Government Data Security - the IPCC Case 28 March 2006