Case Notes

Unauthorised download of 210,000 customers’ personal data by a contractor – DPP 4 – security of personal data

Background

A bank informed the PCPD that its designated contractor had downloaded 964 data files from the bank’s computer workstation to his personal mobile device without authorisation, although he was granted access to those raw data under the bank’s supervision in a system development project. The personal data involved in the incident included the HKID Card numbers, residential and postal addresses, and fund investment details of approximately 210,000 customers.

The bank explained that the incident was caused by the misconfiguration of its data loss prevention system, which was set up to prevent unauthorised data transfer to external storage devices but failed to block the transfer of data from computer workstations to “Windows Portable Devices” such as smartphones and tablets. The bank stated that the data files downloaded had not been further disseminated or misused by the contractor.

Remedial Measures

The bank reported to the PCPD that it had taken the following remedial actions to prevent similar incidents:

1. Re-configuring the data loss prevention system controls to block all data connection with Windows Portable Devices;
2. Enhancing its inadvertent data disclosure tool and end-point security tool on its computer workstations to prevent malicious or unauthorised data transfer;
3. Implementing an Internet cloud-monitoring capability tool to monitor external data transfers through Internet services; and
4. Revising its procedures that allow only dummy or masked personal data to be used for the purposes of testing and system development in future.

(Uploaded in July 2022)