Skip to content

Media Statements

Media Statement - Ransomware Attack on Digital Marketing Agencys Computer System Privacy Commissioner Commenced Investigation

Date: 21 October 2021

Ransomware Attack on Digital Marketing Agency’s Computer System
Privacy Commissioner Commenced Investigation

The Office of the Privacy Commissioner for Personal Data (PCPD) has successively received data breach notifications from Fimmick CRM Limited (Fimmick) and its corporate clients since 4 October 2021, reporting that Fimmick’s computer system had been attacked by ransomware in September 2021 which caused the leakage of some of the personal data processed by Fimmick.
 
According to the information available to the PCPD, Fimmick is a digital marketing agency headquartered in Hong Kong, providing digital marketing and customer relationship management services to corporate clients. Having considered that Fimmick holds and processes the personal data of the customers of a number of Hong Kong companies, including their names, dates of birth, telephone numbers, email addresses and residential addresses, etc., and that the number of individuals affected in the incident could be enormous (up to the present, the number of affected individuals might exceed 35,000, and the actual number is yet to be confirmed by Fimmick), the PCPD contacted Fimmick on 6 October to follow up the matter and commenced an investigation in relation to the incident on 12 October. The PCPD subsequently received further information from Fimmick on 20 October.
 
As of today (21 October), the PCPD learnt that customers of L’Oreal Hong Kong Limited 歐萊雅香港有限公司 were confirmed to be affected in the incident, and the personal data leaked included their names, telephone numbers, email addresses, residential addresses, months of birth, Facebook names and Facebook email addresses. The PCPD has also received data breach notifications from other nine companies (Fimmick's corporate clients) regarding the incident, reporting that they were still investigating the matter: 
  • Bupa (Asia) Limited 保柏(亞洲)有限公司
  • Coca-Cola China Limited 可口可樂中國有限公司
  • Europe Group Holdings Limited 歐洲坊控股有限公司
  • Green Square Marketing Limited 綠坊市場發展有限公司
  • Mead Johnson Nutrition (Hong Kong) Limited 美贊臣營養品(香港)有限公司
  • Mentholatum (Asia Pacific) Limited 曼秀雷敦(亞洲太平洋)有限公司
  • MHK Restaurants Limited 香港麥當勞
  • Nestle Hong Kong Limited 雀巢香港有限公司
  • Reckitt Benckiser Hong Kong Limited 利潔時有限公司
The Privacy Commissioner for Personal Data (Privacy Commissioner), Ms Ada CHUNG Lai-ling, appeals to citizens who have provided personal data to the above companies, including those who have become their fan club members or made online purchases of the relevant products, to be vigilant about potential theft of personal data. If they are in doubt about whether their personal data have been leaked, they may make enquiries with the companies concerned or make enquiries/complaints to the PCPD (telephone: 2827 2827 or email: communications@pcpd.org.hk). To protect personal data privacy, affected citizens are also advised to take the following measures: -
  • Change the passwords of the registered accounts concerned and other platforms as well;
  • Enable the two-factor authentication feature (if available);
  • Beware of any unusual logins of any registered accounts and personal emails; and
  • Stay vigilant when they receive any suspicious calls, text messages or emails or any calls, text messages or emails from unknown sources. 
The Privacy Commissioner also appeals to the organisations affected by the incident to report the matter to the PCPD and notify the affected customers as soon as practicable if they consider that there is leakage of the personal data of their customers in the incident.
 
The Privacy Commissioner wishes to remind organisations to take effective security measures to protect the personal data of their customers as required by the Personal Data (Privacy) Ordinance. If an external service provider is engaged as a data processor, the organisation must adopt contractual or other means to safeguard personal data from unauthorised or accidental access, processing, loss or use.
 
-End-