Cybersecurity experts have urged authorities to impose fines on companies that experience data breaches, following the recent incident involving a major appliance distributor in Hong Kong. The breach affected over one million individuals, with their personal information maliciously encrypted, prompting a formal investigation by the city’s privacy watchdog.

The Office of the Privacy Commissioner for Personal Data announced on July 25 that it had launched an inquiry into the breach reported by Shun Hing Group on March 23. According to the latest update from the company, approximately 1.05 million people—primarily customers—had their personal data compromised. This included the names, addresses, and email addresses of more than 920,000 customers.

David Ip, founding chairman of the Hong Kong China Network Security Association, emphasized the need for stronger enforcement measures. He stated that protecting consumer data extends beyond regulatory compliance to safeguarding public trust, calling the scale of the breach “unacceptable.” Ip added that penalizing companies through fines was the most effective way to incentivize them to enhance their cybersecurity defenses.

The breach also impacted about 1,000 Shun Hing employees, whose identity card numbers, salary details, and other sensitive information were exposed. In an earlier statement released in April, Shun Hing acknowledged the cyberattack, confirming unauthorized access and damage to its computer systems. The company reported the incident to the police and engaged an independent cybersecurity team to investigate.

Lawmaker Duncan Chiu supported the call for discussion around penalties for data breaches, particularly among large conglomerates handling extensive personal data. He noted that Hong Kong’s inaugural anti-hacking legislation, the Protection of Critical Infrastructures (Computer Systems) Ordinance, serves as a foundational step to compel critical sector operators to bolster their cybersecurity measures. The law mandates designated entities in eight essential sectors to protect their computer systems and report any cyberattacks.

Chiu remarked on the public’s understandable disappointment over data leaks but highlighted the need for broader debate regarding the extent to which companies, including small and medium-sized enterprises with limited resources, should be held accountable for cybersecurity lapses.

In response to inquiries, Shun Hing reiterated its condemnation of cybercrime and affirmed ongoing cooperation with law enforcement. The company said it has implemented stronger countermeasures and upgraded its cybersecurity infrastructure to prevent future incidents and to safeguard customer information.

The breach comes amid a series of cyberattacks faced by Hong Kong. Notably, in April, the Hospital Authority reported a significant data leak exposing the personal information of over 56,000 patients. These incidents underscore growing concerns over cybersecurity and data privacy among both public and private sectors in the city.