Privacy rules broken in data leak of major fashion brands, Hong Kong watchdog finds

Hong Kong’s privacy watchdog has ruled that a group managing several international fashion brands in the city including Paul Smith and Brooks Brothers has violated the ordinance protecting customers’ data after a hack affected nearly 130,000 individuals.

The breach in May last year concerned ImagineX management, a company established in 1992 and which manages more than 20 international fashion and beauty brands in Hong Kong, Macau, mainland China and Taiwan.

“The Privacy Commissioner found that ImagineX had not taken all practicable steps to ensure that the personal data involved was protected against unauthorised or accidental access, processing, erasure, loss or use,” Brad Kwok Ching-hei, the watchdog’s chief personal data officer, said on Monday.

The company had contravened the Data Protection Principle (DPP) 4(1) of the Personal Data (Privacy) Ordinance concerning the security of personal data, he added.

The Office of the Privacy Commissioner for Personal Data’s six rounds of investigation found that the leak had affected mainly two loyalty programmes – ICARD and Brook Brothers – managed by the company and concerning 127,268 people.

The victims included 100,185 ICARD members and 27,069 Brook Brothers members, whose personal data, including names, email addresses, telephone numbers, birth months, sex and nationalities were put at risk.