Unauthorised access to an international fashion chain’s customer personal data system – DPP 4 – security of personal data
Background
An international fashion company reported to the PCPD that its customer personal data system for e-commerce customers and loyalty programme members suffered a ransomware attack. As a result, about 200,000 customer records containing names, telephone numbers, email addresses, genders and age ranges were compromised.
The company engaged an independent consultant for investigation, which revealed that the company had failed to identify a known exploitable vulnerability. The attacker successfully logged into the customer personal data system with valid credentials and installed ransomware in the company’s network.
Remedial Measures
The company took the following remedial measures:
Lesson learnt
Data users should regularly review and monitor security of their networks and test and apply security patches in a timely manner. Data users should also limit the retention period of personal data, which should not be longer than necessary for the fulfilment of the collection purpose. The shorter the retention period, the lower the security risks.
(Uploaded in June 2022)