Case Notes

Data leakage via a phishing email involving 6,131 members of an institute – DPP 4 – security of personal data

Background

An institute reported to the PCPD that it had inadvertently sent a list containing the name with suffix and email address of 6,131 members to a deceptive phishing email, which purported to be the Chief Executive of the institute requesting for members’ information.

The institute explained that the “phishing email” requested the information to be sent to two specified email addresses, one being the Chief Executive’s official email address while the other purporting to be his personal email address. Since the staff member who received the request believed that the information was urgently required by the Chief Executive, he complied with the request and hence caused the leakage. The institute further explained that although its membership database was password-protected and encrypted, the list generated from the database in the incident was not secured by any measures.

Remedial Measures

The institute subsequently took the following remedial actions to prevent recurrence of the incident:

1. Requiring all staff to protect files containing personal data by password for email communications and restricting the use of personal email accounts for business-related matters;
2. Reminding all staff to strictly adhere to the requirements stipulated in its Information Security Policy and Acceptable Use Policy;
3. Providing training to enhance staff awareness of information technology security; and
4. Engaging an external information technology consultant to provide continuous security monitoring and consultation on information technology and data protection matters.

(Uploaded in July 2022)