Unauthorised access of personal data held by public schools via a web-based application system – DPP 4 – security of personal data
Background
Four public schools reported to PCPD that a web-based application system operated by them and developed by the government bureau responsible for education (the System) was compromised and the data contained therein were stolen. PCPD inquired the four schools and the bureau regarding the incident.
The compliance actions revealed that the bureau was responsible for providing technical support, guidelines and training to the schools regarding the System, whereas the schools being the System users were responsible for operating and maintaining the Systems as well as handling students’ personal data contained therein.
The bureau provided updated versions of the System from time to time with additional functions addressing cybersecurity issues. After detecting an unauthorised access into the System, the bureau released an updated version of the System fixing the security vulnerabilities, and requested the schools to update to the latest version within two weeks. However, not all schools suffering from the attack applied the update promptly.
Remedial Measures
In response to the incident, the bureau issued notices to schools reminding them to regularly review the operation of the System server and logs according to the applicable task list. The bureau also committed to having more direct communication with schools if a high-risk situation arose and an immediate critical security update was warranted. On the other hand, the bureau confirmed that the System was gradually moving to a centralised cloud platform so as to better monitor the suspicious activities and apply protective measures or new versions in a timely manner.
Lesson Learnt
No organisation could be completely immune from cyberattacks. It is therefore important for data users to take all reasonable precautions to protect their systems from cyberattacks. Although the bureau is not the data user in this incident, being the System provider as well as the supervisory body of public schools, the bureau could adopt a more proactive approach to direct its users to install all critical updates. On the other hand, the schools should have acted promptly once they received any notice regarding the update of the System from the bureau so as to safeguard data integrity and security.
(Uploaded in July 2022)