Yau Yat Chuen Club Data Breach Investigation Report

Media Statements

Privacy Commissioner’s Office Publishes (1) an Investigation Report on the Data Breach Incident of Yau Yat Chuen Garden City Club and (2) Practical Tips on Safeguarding Children’s Online Privacy

Date: 23 April 2026

Privacy Commissioner’s Office **Publishes

(1) an Investigation Report on the Data Breach Incident of Yau Yat Chuen Garden City Club and
(2)** Practical Tips on Safeguarding Children’s Online Privacy

The Office of the Privacy Commissioner for Personal Data (PCPD) today published (1) an investigation report of the data breach incident of Yau Yat Chuen Garden City Club Limited (the Club) and (2) Practical Tips on Safeguarding Children’s Online Privacy .
1. Data Breach Incident of Yau Yat Chuen Garden City Club
The investigation arose from a data breach notification submitted by the Club to the PCPD on 31 October 2025, reporting that its club management system (the CMS) was rendered inoperable as a result of a ransomware attack that encrypted information system files stored on a server (the Incident).

The CMS was provided and maintained by an external service provider (the Service Provider) for managing members’ information of the Club, with all associated personal data stored on the server (the Server). The Service Provider had the ability to remotely access the Server via dedicated remote access software (the Software) for the purpose of providing technical support.

The investigation revealed that the Software was operating on an outdated version that contained a known security vulnerability at the time of the Incident. The vulnerability enabled the threat actor to compromise the account credentials used by the Service Provider, thereby gaining direct entry to the Server where personal data was stored. This was further facilitated by the Server being left in a logged-in state without the implementation of additional authentication controls, thereby further undermining the security defences of the CMS. In addition, the Club’s antivirus software and firewall were outdated, rendering them unable to detect and prevent the hacking activities.

The Club is a private, non-profit social and recreational organisation that provides recreational facilities and dining services exclusively to its registered members and their guests. A total of 9,045 data subjects were affected by the Incident, which included 1,553 active members, 1,723 supplementary card holders, 1,313 former members, and 4,456 former supplementary card holders. The personal data affected included the full names, Hong Kong Identity Card numbers and/or passport numbers, dates of birth, email addresses, contact numbers and addresses.

The Club notified the affected persons after the Incident, and implemented various remedial measures, which included discontinuing the use of the previously vulnerable remote access software and monitoring all remote access, updating the antivirus software and firewall for all servers and endpoints to the latest versions, and applying encryption to the personal data files on the servers.

The PCPD conducted four rounds of inquiries and reviewed the information provided by the Club in relation to the Incident, and the follow-up and remedial actions taken by the Club after the Incident. Having considered the circumstances of the Incident and the information obtained during the investigation, the Privacy Commissioner for Personal Data (Privacy Commissioner), Ms Ada CHUNG Lai-ling, found that the following deficiencies of the Club contributed to the occurrence of the Incident (See Annex 1 for details):-
1. Use of o utdated remote access software that contain ed a known security vulnerability ;
2. Absence of user authentication measures for remote access to the Server;
3. Use of o utdated antivirus software and firewall;
4. Lack of organisational measures for information security ; and
5. Prolonged retention of personal data .
The Privacy Commissioner was disappointed that the Club had not adopted appropriate and adequate organisational and technical information security measures before the Incident to safeguard the personal data stored in its information systems. Based on the above, the Privacy Commissioner found that the Club had not taken all practicable steps to ensure that the personal data involved was protected against unauthorised or accidental access, processing, erasure, loss or use, thereby contravening Data Protection Principle (DPP) 4(1) of the Personal Data (Privacy) Ordinance (PDPO) concerning the security of personal data.

In addition, the Privacy Commissioner found that the Club had not taken all practicable steps to ensure that personal data was not kept longer than was necessary for the fulfilment of the purpose for which the data was used, thereby contravening DPP 2(2) concerning the retention of personal data.

The Privacy Commissioner has served an Enforcement Notice on the Club, directing it to take measures to remedy the contravention and prevent recurrence of similar contraventions in the future.

The Privacy Commissioner notes that databases that contain the data of members and customers often contain extensive, comprehensive, and continuously updated personal data. As such, they have become primary targets for cyberattacks. Following the infiltration into such databases, threat actors often exfiltrate large amounts of personal data, which could subsequently be sold for unlawful use. The Privacy Commissioner, Ms Ada CHUNG Lai-ling, reminds organisations that collect and retain large volumes of personal data belonging to members and customers, “Membership and customer data is a valuable asset of an organisation and can be said to be a high-risk target of cyberattacks. Organisations should adopt a proactive strategy, regularly review the effectiveness of the security measures of their information systems, and allocate sufficient resources to protect such personal data, thereby ensuring compliance with the PDPO and meeting the reasonable expectations of data subjects .”

The Privacy Commissioner recommends organisations to adopt adequate and appropriate organisational and technical measures to safeguard their information systems that contain personal data. In particular, organisations should:
- Timely update remote access software, antivirus software and firewalls in order to patch any known vulnerabilities;
- Implement effective user authentication for data access, including strong passwords and multi‑factor authentication;
- Establish adequate organisational measures, including clear internal policies for information security , as well as secure and reliable remote access solutions ;
- Conduct regular security risk assessments, vulnerability scans and system audits to identify and rectify security weaknesses;
- Formulate a data retention policy to ensure that personal data is not retained longer than is necessary; and
- Provide regular staff training on information security.
The PCPD encourages organisations to make reference to the “ Guidance Note on Data Security Measures for Information and Communications Technology (ICT) ” and the “ Guidance on Data Breach Handling and Data Breach Notifications ” issued by the PCPD to bolster their defences against cyberattacks and to enhance cybersecurity and data security. To assist enterprises in safeguarding data security, the PCPD has launched a Data Security thematic webpage [1], a data security hotline (2110 1155) and the “Data Security Scanner” [2], which is a self-assessment toolkit for enterprises to assess the data security measures for their information systems.

In addition, to strengthen the capabilities of organisations, in particular small and medium enterprises and non-profit-making organisations, in safeguarding data security and cyber security, the PCPD relaunches the “Data Security Package” today. Participating organisations will receive five free quotas to join professional workshops and seminars organised by the PCPD upon completion of a free assessment by the “Data Security Scanner”, which will assess the adequacy of their data security measures.
1. “Safeguarding Children’s Online Privacy – Practical Tips for Parents and Teachers”
In today’s digital world, children have been actively engaging in online learning platforms, social media platforms, online games and other online services, often from a very young age. While the internet brings convenience and opportunities for learning and social interaction, it also exposes children to increasing risks to their personal data privacy, such as excessive collection of personal data and retention of personal data for longer than is necessary. Such personal data may also be used for cyberbullying, doxxing and even scams.

The Privacy Commissioner, Ms Ada CHUNG Lai-ling, notes that when compared to adults, children are generally less appreciative of the privacy and safety implications of their online behaviour. To support parents and teachers, therefore, the PCPD has published the “Practical Tips for Parents and Teachers – Safeguarding Children’s Online Privacy” (the Tips), which provide practical advice on how parents and teachers can help children protect their personal data privacy and safety in the online world. T he Privacy Commissioner encourages p arents and teachers to join hands to co-create a safe and privacy-friendly digital space for children, proactively guide them to develop good online habits, and strengthen their awareness of personal data protection, so that they can participate in online activities safely and with peace of mind .

The Tips set out practical advice on how parents and teachers can guide children to protect their personal data privacy online. Key recommendations include:
1. Proactively participating in children’s online activities. Parents and teachers are encouraged to discuss with children the ‘dos’ and ‘don’ts’ of online behaviours, suitably use parental controls provided by online platforms to monitor children’s online activities, and try the latest technologies out to gain a deeper understanding of the functions and services of online platforms;
2. Safeguarding children’s online privacy. Children should be reminded not to over-share personal data when using online platforms or interacting with artificial intelligence (AI) tools. They should remain vigilant about their digital footprint, and parents and teachers should review and change default privacy settings and cultivate a sense of respect for others’ privacy;
3. Being a role model. Parents and teachers should set good examples by protecting their own personal data and respecting others’ personal data privacy, such as consulting friends and family members before sharing their personal data. They should also prioritise the best interest of the children when sharing their information on the internet; and
4. Reminding children of the pitfalls of the digital world. Children should be reminded of risks such as online scams, cyberbullying, abuse of AI deepfakes and doxxing. They should also be reminded that their personal data is marketable by many organisations, that giving up their personal data in exchange for an ostensibly ‘free’ service may not be worthwhile, and that there is no permanent ‘delete’ button on the internet.
Download the information pamphlet on “Safeguarding Children’s Online Privacy – Practical Tips for Parents and Teachers”:
https://www.pcpd.org.hk/english/resourcescentre/publications/files/leafletchildrenonlineprivacy_e.pdf

Furthermore, to facilitate parents and teachers in understanding the advice in the Tips, the PCPD has also published a leaflet summarising the key recommendations of the Tips. Download the leaflet:
https://www.pcpd.org.hk/english/resourcescentre/publications/files/safeguardingpracticaltips.pdf

The Privacy Commissioner, Ms Ada CHUNG Lai-ling, elaborated on “Safeguarding Children’s Online Privacy – Practical Tips for Parents and Teachers”.

The Privacy Commissioner, Ms Ada CHUNG Lai-ling, introduced the investigation report of the data breach incident of Yau Yat Chuen Garden City Club.

The Privacy Commissioner, Ms Ada CHUNG Lai-ling (left) and the Assistant Privacy Commissioner (Compliance, Global Affairs and Research), Mr Alex CHAN Chung-man (right), introduced the investigation report of the data breach incident of Yau Yat Chuen Garden City Club.

The Assistant Privacy Commissioner (Compliance, Global Affairs and Research), Mr Alex CHAN Chung-man, introduced the investigation report of the data breach incident of Yau Yat Chuen Garden City Club.

To strengthen the capabilities of organisations, in particular small and medium enterprises and non-profit-making organisations, in safeguarding data security and cyber security, the PCPD relaunches the “Data Security Package” today.
－ End －
[1] https://www.pcpd.org.hk/english/data_security/index.html [2] https://www.pcpd.org.hk/Toolkit/en/ Annex 1
Data Breach Incident of Yau Yat Chuen Garden City Club Limited
Deficiencies that Contributed to the Happening of the Incident
1. Use of o utdated remote access software that contain ed a known security vulnerability: The Software used for remote access was operating on an outdated version that contained a known security vulnerability. The vulnerability was exploited by the threat actor to facilitate the ransomware attack. The investigation found that the Service Provider was unaware of the security alert issued to affected users in January 2025 by the software developer. Furthermore, neither the Club nor the Service Provider had established mechanism for applying security patches or updates to the Software concerned;
2. Absence of user authentication measures for remote access to the Server: The computer hosting the Server was intentionally kept logged in to ensure that the Software used for remote access could run continuously in the background and remained remotely accessible to the Service Provider without the requirement of additional authentication. The Club explained that this was a legacy practice adopted for operational convenience to facilitate immediate remote support from the Service Provider without delay. Additionally, multi-factor authentication was not available for the Software at the time of the Incident, which allowed the threat actor to access the Club’s information systems through the Software using the compromised credentials without any further verification;
3. Use of o utdated antivirus software and firewall: The firewall that was enabled on the Server was outdated because of lapses in the maintenance cycle, which limited the Club’s ability to detect and prevent the threat actor’s activities. The Club acknowledged that its antivirus software was similarly outdated, which contributed to the absence of any alerts in respect of the ransomware in the Incident;
4. Lack of organisational measures for information security: The Club had not established any written information security policies or guidelines prior to the Incident. Although the Club had entered into a service contract with the Service Provider for technical support of the CMS and the Server, the contract did not stipulate any explicit information security requirements. The Club was unable to demonstrate the existence of any effective organisational measures to safeguard the security of the Server or the personal data stored therein; and
5. Prolonged retention of personal data: The Club stated that it retained the personal data of former members and former supplementary card holders for a minimum of seven years following the cessation of membership, citing statutory financial record-keeping obligations in support, as well as the need to verify membership history for reinstatement requests and to resolve any historical billing disputes. However, it was found that the personal data of 888 former members and 3,321 former supplementary card holders had been retained for longer than seven years.