National elections have become a global stage for hackers to display their virtuosity, bringing the question of cybersecurity to the forefront of the conversation. Since Barack Obama accused the Russians of meddling in 2016’s presidential election in favor of Donald Trump, several European countries have taken their own measures to avoid such cyberattacks.

Recently, the vulnerability of the voting process has once again been put on display. The Hong Kong Registration and Electoral Office has confirmed that on March 28, after their presidential elections, the personal data of 3.7 million voters was stolen.

In this case, we’re not dealing with a cyberattack carried out remotely, but rather an old school street theft: after the election, two laptops containing sensitive voter data disappeared from a room at the Asia World-Expo Center on the island of Lantau, according to national sources.

Contained on the hard drives were backups of citizens’ personal data, such as identity card numbers, addresses, and contact numbers, as well as the names of 1,194 members of the electoral committee who elected Lam Cheng Yuet-ngor as the new chief executive. Although Chinese authorities say the data is encrypted and therefore protected, police are currently investigating the whereabouts of the stolen devices.

As of now it has yet to be confirmed whether the data has been leaked, but the perpetrators of the theft could potentially sell their data plunder on the dark web. Dennis Kwok, a member of the Civic Party, says there are too many unanswered questions and asks for explanations as to why the data had been stored on those computers with no security beyond a locked door. “There is reason to believe that the laptops were stolen not because of their value,” Kwok warned.

According to Lam Cheuk-ting of the Democratic Party, it could be the largest data theft in the history of the small nation. Cheuk-ting also accuses the Hong Kong Registration and Electoral Office of concealing the theft until the facts came to light. The agency only made the incident public through a statement after the elections when faced with persistent questioning by the media. They later issued another press release to apologize for the mismanagement of the incident.

The State Government and Administration is obligated to protect the data of citizens, as established in legislation with regard to privacy. Although encrypting information is of vital importance, monitoring and controlling the computers where information is stored, including their location and access to the premises, would also be a necessary measure to prevent thefts such as this one.