Case Notes

Unauthorised access to an international fashion chain’s customer personal data system – DPP 4 – security of personal data

Background

An international fashion company reported to the PCPD that its customer personal data system for e-commerce customers and loyalty programme members suffered a ransomware attack. As a result, about 200,000 customer records containing names, telephone numbers, email addresses, genders and age ranges were compromised.

The company engaged an independent consultant for investigation, which revealed that the company had failed to identify a known exploitable vulnerability. The attacker successfully logged into the customer personal data system with valid credentials and installed ransomware in the company’s network.

Remedial Measures

The company took the following remedial measures:

1. Notified all affected customers;
2. Scanned the system for all identified vulnerabilities and applied patches;
3. Strengthened the detection and protection measures of its monitoring system;
4. Enforced multi-factor authentication at login; and
5. Defined retention periods and erased obsolete data on an annual basis.

Lesson learnt

Data users should regularly review and monitor security of their networks and test and apply security patches in a timely manner. Data users should also limit the retention period of personal data, which should not be longer than necessary for the fulfilment of the collection purpose. The shorter the retention period, the lower the security risks.

(Uploaded in June 2022)