The Correctional Services Department today announced that an IT system security incident involving illegal access to one of its IT systems maintaining staff personal data was found on Tuesday, however there was no evidence indicating that relevant data had been leaked or disclosed.

The department immediately reported the incident to Police. 

After a preliminary investigation, the department believes that the incident involved illegal access to the internal Knowledge Management System by a hacker, through which the hacker then illegally accessed another IT system maintaining the personal data of its staff. 

Relevant data included the names, genders, dates of birth, academic qualifications, information of employment history in the department and email addresses of about 6,800 serving and departing staff.

The department took immediate action after the incident, including isolating the internal Knowledge Management System, notifying users to change passwords, thoroughly reviewing all systems under the department's purview and activating back-up procedures, as well as requesting the outsourced service provider to commence an investigation. 

Apart from reporting the incident to Police, the department has also reported it to the Security Bureau, the Office of the Privacy Commissioner for Personal Data (PCPD) and the Digital Policy Office (DPO).

The department added that although there is no evidence indicating that relevant data has been leaked, it has started informing all possibly affected individuals of the situation for prudence sake. In case of suspicious circumstances, they should report to Police as soon as possible.

The department is very concerned about the incident and is consulting the PCPD and the DPO, with a view to conducting a comprehensive review of the incident and taking further enhancement measures for personal data protection to prevent a recurrence of similar incidents.