The Office of the Privacy Commissioner for Personal Data has issued enforcement notices to three retail organisations following cybersecurity incidents that compromised the personal data of more than 130,000 customers and employees.

The first breach involved Japanese fashion retailer Adastria, with the office reporting that a hacker used an employee's administrator credentials to access its platforms, which is provided by a third-party vendor, from an unknown overseas IP address, downloading order information and leaking the data of 59,205 Hong Kong customers.

The compromised information included names, telephone numbers, and order details.

During its investigation, Adastria discovered that the affected data had been disclosed on the Dark Web two months after the incident and was made available for download.

Privacy Commissioner Ada Chung said the investigation found deficiencies within the organisation that contributed to the incident, including weak password management, failure to enable multi-factor authentication, insufficient awareness regarding personal data security and a lack of proper security reviews for the retailer's platforms.

The other breach involved a server shared by My Jewelry and its parent company, Kwong's Art Jewellery, in which the data of 79,400 individuals were exposed.

The compromised records belonged to customers and current and former employees and included highly sensitive information such as names, Hong Kong identity card numbers, dates of birth, telephone numbers, addresses, email addresses, membership numbers and employee commencement dates.

Chung said the investigation revealed a hacker had performed a brute-force attack to obtain the credentials of an administrator account, which provided access to the two companies' information systems.

Both breaches, she noted, involved retail organisations, which typically hold significant amounts of customer personal data.

She noted that such incidents highlight the connection between data breaches and the illegal sale of personal data for profit, as well as the use of this information by fraudsters for various schemes.

"In light of escalating cybersecurity threats, organisations should recognise that the personal data in their possession are valuable assets and they should allocate sufficient resources on cybersecurity and data security in order to safeguard the personal data in their possession," Chung said.

She called on individuals affected by the data breaches to remain vigilant.

"If they receive any unknown calls or unknown emails, they should be careful not to provide their personal data, including in particular, their banking account details, and they should also verify the identity of the caller if they are in doubt," she said.

"If they receive any emails with suspicious attachments or links, they should not open the links or the attachments."