This report suggests some serious issues are afoot with security in Hong Kong:

The database contained complaints made from 1996 to 2004. As you would expect in such a database, it wasn’t just information on the complainant that was compromised, but also the name, age, gender, rank and station of the police officers against whom the complaints were made, and specifics of the complaint and the outcome, including any action taken against the officer, up to dismissal. Other index tables seemed to record the occupation of the complainant, their educational attainment, and whether they had a criminal record. Also, if the complainant had been charged with an offence, then the type of offence was recorded, and the outcome of the prosecution, including the type of sentence.

One table seemed to classify nationality into either Chinese, Mainlander, Vietnamese, Filipino, Pakistani or Others. Complaints were also categorised into causes (presumably the cause was concluded after investigation), including “tactical complaints” and “political complaints” – imagine who gets that category.

[…]

In our view, the Government will not escape blame in this episode. The IPCC secretariat apparently allowed its data to be taken off-site by a consultant, reportedly for the purpose of conversion of the database from one format used by COPA to another used by the IPCC. The person who worked for the consultant then reportedly left the consultancy, and took the data with him, storing it on the commercial server. An alternative explanation might be that the consultancy outsourced the work to him.

Ouch. Do you suppose people might just be afraid to complain about exposure of complaints?