Credit card data of 11,655 Hong Kong customers hacked by a zero-day malware – DPP 4 – security of personal data
Background
It was reported in local newspapers that the credit card systems of an international hotel group were attacked by a zero-day malware and, as a result, names and credit card numbers of its customers who had used credit cards to purchase products and services were suspected to have been leaked. The hotel group subsequently reported to the PCPD that two of the group’s hotels in Hong Kong were involved in the incident, affecting a total of 11,655 sets of credit card data.
The hotel group explained that the group was first notified in February 2015 by its card processing company in Switzerland of the possibility of the malware attack on its information systems. The forensic investigations revealed that a hacker gained access to the group’s network through a server in its hotel in Jakarta. He utilised a system account with administrative privileges and planted the malware in the systems worldwide in order to gain access to the credit card data. The investigations suggested that there was no evidence to show that the credit card data had been exfiltrated or removed from its systems.
Immediately after the incident, the group notified all affected customers (including Hong Kong customers) and engaged antivirus solution providers to develop new virus signatures to remove the malware. It also changed all the system passwords, blocked all unnecessary network services and disconnected decommissioned servers from its network.
Remedial Measures
The hotel group had also taken the following remedial actions to prevent similar incidents:
(Uploaded in July 2022)