Hong Kong Registration and Electoral Office laptop theft
Two laptops stored at the fallback venue for Hong Kong's 2017 Chief Executive election were stolen, exposing the personal data — including ID-card numbers — of all 3.7 million registered voters.
- Victim
- Registration and Electoral Office (REO)
- records
- 3.7M
- users
- 3.7M
On 27 March 2017, just one day after Hong Kong's Chief Executive election, the Registration and Electoral Office (REO) discovered that two laptop computers had vanished from a locked storeroom — and with them, the personal data of all 3.7 million registered voters in the territory.
What happened
The two notebook computers had been placed on 22 March in a locked room at AsiaWorld-Expo, the large conference venue near Hong Kong International Airport that served as the fallback site for the 26 March election. The election itself proceeded at the main venue, where the 1,194-member Election Committee selected Carrie Lam as Chief Executive.
When staff checked the storeroom on 27 March, the laptops were gone. The REO reported a suspected theft to police and notified the Office of the Privacy Commissioner for Personal Data.
What was exposed
- One laptop held the registration data of all 3.7 million voters in geographical constituencies, including names, Hong Kong identity-card numbers, physical addresses, and mobile phone numbers.
- The other laptop contained the names of the 1,194 Election Committee members.
The REO stressed that the data was encrypted and said there was "no information so far showing any leakage of the relevant information." Critics, however, questioned why a complete copy of the entire electoral roll needed to be stored on portable computers at a backup venue at all, and pressed for details on the strength of the encryption and key handling.
Impact and response
This was, at the time, the largest loss of personal data in Hong Kong's history. Although no downstream misuse was ever confirmed, the breach badly dented public confidence in the government's handling of sensitive civic data. The episode triggered a security review of the REO's data-handling practices, and the government later reported remedial measures to the Legislative Council, including tighter controls on when and where bulk voter data could be copied and stored.
Why it matters
The REO theft is a landmark case in physical-security and data-minimisation failure. No sophisticated hacking was involved — the entire electorate's records walked out of a locked room on two laptops. It underscored principles that now anchor government data governance: do not replicate entire population databases onto portable devices, enforce strong, auditable encryption when bulk personal data must travel, and treat physical custody of devices as a first-order security control. For Hong Kong, it became the reference incident driving reform of how electoral and citizen data are stored and transported.
Timeline
Two REO notebook computers are placed in a locked storeroom at AsiaWorld-Expo, the fallback venue for the Chief Executive election.
The 2017 Chief Executive election is held; Carrie Lam is selected by the 1,194-member Election Committee.
REO staff discover the two laptops missing from the locked storeroom and report a suspected theft to police.
The REO notifies the Office of the Privacy Commissioner for Personal Data and confirms the data was encrypted.
The government provides a Legislative Council update on the investigation and remedial measures taken by the REO.
Sources
- info.gov.hkhttps://www.info.gov.hk/gia/general/201703/27/P2017032701112p.htm
- scmp.comhttps://www.scmp.com/news/hong-kong/politics/article/2082566/laptops-containing-37-million-hong-kong-voters-data-stolen
- bankinfosecurity.comhttps://www.bankinfosecurity.com/hong-kong-loses-37-million-voter-registration-records-a-9802
- hongkongfp.comhttps://hongkongfp.com/2017/03/27/just-hong-kong-govt-loses-computers-personal-data-registered-voters/