Last updated 23 Jan 2025

Public statement in relation to the investigation report issued by the Office of the Privacy Commissioner for Personal Data regarding the cyberattack against Oxfam Hong Kong

The Office of the Privacy Commissioner for Personal Data of Hong Kong (hereinafter referred to as “PCPD”) released an investigation report today (23 January 2025) regarding the cyberattack that occurred at Oxfam Hong Kong (hereinafter referred to as “OHK”) in July of last year. PCPD also served an enforcement notice to OHK, requiring OHK to take a series of improvement measures on system security and personal data retention policies.

At today's press conference (23 January), the PCPD thanked Oxfam for its cooperation and the provision of the information and documents requested in the investigation. OHK places great importance to this incident and has implemented various remediation measures to enhance the overall system security. We are executing the relevant measures as required by the PCPD and will submit a report to them within two months.

Ensure the safety of information systems

Following the incident, OHK has completed a series of measures to enhance system security. These include upgrading to the latest firewall and adding an additional layer of firewall to strengthen our network protection. We have also implemented Multi-Factor Authentication (MFA) for remote users of OHK's systems and regularly monitor suspicious malicious activities and security incidents. To prevent such incidents from occurring again, we will refine our information security policies in accordance with the requirements provided by the PCPD.

Establish a personal data retention policy

Last July, we actively issued notifications to those who were potentially affected and initiated dark web monitoring services. Based on the reports issued by the third-party dark web monitoring service provider subscribed to by OHK and the agreed parameters of the monitoring, there has been no evidence indicating that any relevant personal data has been leaked in the dark web under the relevant parameters as a result of this cyberattack.

PCPD acknowledged that OHK regularly reviews the retention of personal data, but stated that there is still a need to establish a clear personal data retention policy. We fully understand and accept PCPD's perspective and acknowledge that there have been shortcomings in our past practices. In accordance with the PCPD's enforcement notice, we are in the process of establishing a personal data retention policy, which will specify data retention periods, outline procedures for the destruction of expired data, and enhance relevant internal monitoring measures, in order to comply with the provisions of the Personal Data (Privacy) Ordinance.

We place great importance on our supporters and are committed to fully safeguarding their personal information. We hope that individuals from all sectors will continue to support Oxfam's efforts in poverty alleviation, working together with us to build a world without poverty.

For any enquiries or assistance, please email us at [email protected] or contact us via the following hotlines: 2520 2525 

Last updated 15 Aug 2024

Follow-up from Oxfam HK – Cyberattack Incident

As a precautionary measure, our organisation has proactively notified the potentially affected individuals and advised them to consider taking data security protection measures. As of today, the Incident is still under investigation by cybersecurity experts, and we are unable to confirm the list of affected data subjects at this moment.

We assure you that data security is our top priority and we are taking this very seriously. We have already strengthened our digital defense to safeguard our information and systems according to the cybersecurity experts’ advice.

Last updated 25 July 2024

Follow-up from Oxfam HK – Cyberattack Incident

We are actively working with our cybersecurity experts to investigate into whether the Incident had resulted in any unauthorised disclosure of personal data that we hold, and the extent of any such disclosure.

As precautionary measures, please consider taking the following actions.

• You should stay vigilant regarding any unsolicited or suspicious communications, including phone calls, text messages, and emails. Please refrain from opening any suspicious attachments or links, and from disclosing any of your personal data in response to any of these suspicious communications.
• Please be alert of any suspicious activities, including any unusual logins or transaction records.

We assure you that data security is our top priority and we are taking this very seriously. We remain committed to continuously strengthening our digital defense to safeguard our information and systems. We will take the necessary and appropriate steps as and when we have further information.

Last updated 20 July 2024

In the morning of 10 July 2024, Oxfam Hong Kong (“OHK”) discovered that it had experienced a cyberattack incident affecting certain of its systems, including the Oxfam TrailWalker system (the “Incident”).

OHK has immediately initiated an investigation into the Incident. OHK has promptly engaged independent cybersecurity experts to conduct an examination of the affected systems to assess the impact of the Incident and remediate the Incident.

Reports have been made to the relevant authorities in Hong Kong, including the Police, the Office of the Privacy Commissioner for Personal Data and the Hong Kong Computer Emergency Response Coordination Centre.

We want to assure our donors and partners that data security is our top priority and we take this very seriously. OHK remains committed to continuously strengthening its digital defense to safeguard its information and systems.

OHK further encourages all stakeholders to exercise heightened caution. Should you receive any suspicious emails, messages, or links from OHK, we advise you to refrain from opening or accessing these. 

For any enquiries or assistance, please email us at [email protected] or contact us via the following hotlines: 2520 2525