Hong Kong Privacy Watchdog Slams Canvas Owner over Ransom Payment

Hong Kong‘s privacy watchdog condemned Canvas owner for paying a ransom after a cybersecurity breach affecting 34,000 individuals. The Silicon Review reports on the “unsatisfactory” response and a separate OCIM data breach exposing 130,000 records.

Hong Kong’s privacy watchdog has strongly condemned the operator of the Canvas nightclub for paying a ransom to hackers following a cyber security breach that compromised the personal data of approximately 34,000 individuals.

The Office of the Privacy Commissioner for Personal Data concluded that Canvas Company Limited failed to take adequate steps to protect personal information before the attack. Unauthorized individuals gained access to the company’s cloud storage, exposing identity documents, addresses, phone numbers, and other contact details.

The hackers demanded a ransom, and the company paid it. The Privacy Commissioner’s office stated that while the ransom payment was not illegal, it was a “commercial decision” that the watchdog could not approve or endorse.

The commissioner’s office also found that Canvas failed to take remedial measures after the breach. The company was ordered to delete all remaining customer data, but authorities found it had not fully complied. The operator was also unable to provide a complete inventory of which specific data files had been affected, further complicating efforts to notify affected individuals.

Privacy Commissioner Ada Chung Lai-ling criticised the company’s overall response as “unsatisfactory,” noting that the breach could have been prevented or its impact minimized if proper security measures had been in place.

In a separate incident, the commission also issued an enforcement notice to OCIM Limited, a subsidiary of global commodity trader Olam Group, for failing to prevent a data breach affecting over 130,000 individuals. The hacker posted the stolen database for sale on the dark web after OCIM refused to pay a ransom.

A preliminary investigation found that OCIM had not carried out a security risk assessment before migrating a customer-facing web application to an external cloud server. The company stored personal data in a misconfigured cloud storage folder without password authentication, allowing any authenticated employee in its organisation to access it.

The hacker accessed the database through an employee who had legitimate access credentials and dumped the entire dataset. While OCIM deployed a network monitor after the leak, it failed to limit the risk immediately and did not notify the Privacy Commissioner‘s office within the required five business days, as mandated under the Personal Data (Privacy) Ordinance.

By the third quarter of 2026, the Privacy Commissioner’s office expects to complete its investigation into OCIM and determine whether further enforcement action, including potential prosecution, is warranted.

The Silicon Review‘s analysis indicates that Hong Kong’s data breach landscape is shifting from isolated incidents to a systemic pattern of negligent cloud migration practices. The Canvas and OCIM cases share a common thread: companies moving customer data to cloud environments without conducting proper risk assessments or implementing basic access controls turning convenience into liability.

Q: How many individuals were affected by the Canvas nightclub data breach?
A: The cyber security breach compromised the personal data of approximately 34,000 individuals, including identity documents, addresses, phone numbers, and other contact details stored in the company’s cloud storage.

Q: Did the Hong Kong privacy watchdog approve of Canvas paying the ransom to hackers?
A: No. The Privacy Commissioner‘s office stated that while the ransom payment was not illegal, it was a “commercial decision” that the watchdog could not approve or endorse. The company‘s overall response was described as “unsatisfactory. “

Q: What failures did the investigation find in Canvas‘s response to the data breach?
A: Canvas failed to take adequate remedial measures after the breach, did not fully comply with an order to delete remaining customer data, and could not provide a complete inventory of which specific data files had been affected.

Q: What was the OCIM Limited data breach about?
A: OCIM Limited, a subsidiary of global commodity trader Olam Group, suffered a breach affecting over 130,000 individuals. The hacker stole the database and posted it for sale on the dark web after OCIM refused to pay a ransom.

Q: How did the OCIM data breach occur?
A: OCIM stored personal data in a misconfigured cloud storage folder without password authentication, allowing any authenticated employee in the organisation to access it. A hacker accessed the database through an employee with legitimate credentials.

Q: What is the enforcement notice issued to OCIM Limited?
A: The Privacy Commissioner issued an enforcement notice requiring OCIM to take remedial measures and demonstrate compliance. The company failed to notify the commissioner‘s office within the required five business days after discovering the breach, as mandated by the Personal Data (Privacy) Ordinance.