Media Statements
Media statement - Privacy Commissioner’s Office Publishes Findings on the Data Breach Incident of Consumer Council
Date: 2 May 2024
Privacy Commissioner’s Office Publishes Findings on the Data Breach Incident of Consumer Council
On completion of its investigation into a data breach incident of the Consumer Council (the Council), the Office of the Privacy Commissioner for Personal Data (PCPD) published its findings today. The investigation arose from a data breach notification lodged by the Council reporting that its servers had been attacked by ransomware (the Incident). The Incident resulted in unauthorised access to the Council’s data, which involved the personal data of more than 450 individuals, including complainants, personnel of information technology service vendors, and current and former staff members of the Council.
The PCPD thanked the Council for the various information and cooperation provided by the Council in the investigation. The investigation revealed that a hacker group had obtained the credentials of a user account with administrative privileges and gained access to the Council’s network through a Virtual Private Network. The hacker then deployed ransomware in the servers and endpoints of the Council.
According to the evidence obtained in the investigation, the Privacy Commissioner for Personal Data (Privacy Commissioner), Ms Ada CHUNG Lai-ling, considered that the Incident was caused by the following deficiencies of the Council:
Based on the above, the Privacy Commissioner, Ms Ada CHUNG Lai-ling, considered that the Council had not taken all practicable steps to ensure that the personal data involved was protected against unauthorised or accidental access, processing, erasure, loss or use, thereby contravening Data Protection Principle 4(1) of the Personal Data (Privacy) Ordinance concerning the security of personal data.
The Privacy Commissioner has served an Enforcement Notice on the Council, directing it to remedy the contravention and prevent similar recurrence of the contravention.
With the advancement of technologies, the adoption of information and communications technologies, hybrid work model and remote access to data have become the new normal. While technological development brings benefits and convenience, it also inevitably increases the risks of data security. To address cybersecurity threats, organisations should regularly review and strengthen the security measures of their information systems. The Privacy Commissioner wishes to make the following recommendations to organisations which use information and communications technologies for processing personal data:
Download the report of “Ransomware Attack on the Information Systems of the Consumer Council”: https://www.pcpd.org.hk/english/enforcement/commissioners_findings/files/r24_14749_e.pdf
The PCPD thanked the Council for the various information and cooperation provided by the Council in the investigation. The investigation revealed that a hacker group had obtained the credentials of a user account with administrative privileges and gained access to the Council’s network through a Virtual Private Network. The hacker then deployed ransomware in the servers and endpoints of the Council.
According to the evidence obtained in the investigation, the Privacy Commissioner for Personal Data (Privacy Commissioner), Ms Ada CHUNG Lai-ling, considered that the Incident was caused by the following deficiencies of the Council:
- Failure to enable multi-factor authentication for remote access to data, thereby allowing the hacker to gain access to the Council’s network through the compromised account credentials, conduct ransomware attack and access the personal data held by the Council;
- Failure to properly configure the cybersecurity solutions adopted to detect and block cybersecurity threats, resulting in the failure of the cybersecurity solutions to send email alerts to the Council when cybersecurity threats were detected;
- Lack of sufficient safeguard to prohibit or prevent the storage of personal data on testing servers, which led to the personal data of 289 complainants held by the Council being stored in a testing server that was not protected by the cybersecurity solutions because of human error or oversight, and in turn, exposed to hacking attack;
- Lack of specificity and comprehensiveness in the policies on information security, which did not provide a concrete cybersecurity framework or IT security review requirements and procedures for its staff members to follow; and
- Inadequate awareness of information security and data protection: Apart from the storage of personal data on the testing server owing to human error or oversight, the investigation also revealed that a former IT staff member had not enforced the complex password policy of the Council in the system settings at the time of the Incident, rendering its password policy ineffective. The above examples reflected the lack of awareness of the staff members of the Council in protecting personal data privacy and information security.
Based on the above, the Privacy Commissioner, Ms Ada CHUNG Lai-ling, considered that the Council had not taken all practicable steps to ensure that the personal data involved was protected against unauthorised or accidental access, processing, erasure, loss or use, thereby contravening Data Protection Principle 4(1) of the Personal Data (Privacy) Ordinance concerning the security of personal data.
The Privacy Commissioner has served an Enforcement Notice on the Council, directing it to remedy the contravention and prevent similar recurrence of the contravention.
With the advancement of technologies, the adoption of information and communications technologies, hybrid work model and remote access to data have become the new normal. While technological development brings benefits and convenience, it also inevitably increases the risks of data security. To address cybersecurity threats, organisations should regularly review and strengthen the security measures of their information systems. The Privacy Commissioner wishes to make the following recommendations to organisations which use information and communications technologies for processing personal data:
- Adopt multi-factor authentication for remote access to information and communications systems to minimise the risk of attacks targeting information systems;
- Establish a robust cybersecurity framework, allocate sufficient resources and formulate effective strategies and measures to prevent, detect and respond to cyberattacks, thereby reducing the possibility of cyberattacks and the risk of data leakage;
- Conduct regular risk assessments and security audits of information systems;
- Establish a corporate culture that values data security; and
- Devise effective training plans to enhance staff awareness and competence in data security and personal data protection.
Download the report of “Ransomware Attack on the Information Systems of the Consumer Council”: https://www.pcpd.org.hk/english/enforcement/commissioners_findings/files/r24_14749_e.pdf
The Privacy Commissioner, Ms Ada CHUNG Lai-ling, introduced the findings on the data breach incident of the Council.
The Privacy Commissioner, Ms Ada CHUNG Lai-ling, introduced the findings on the data breach incident of the Council.
The Privacy Commissioner, Ms Ada CHUNG Lai-ling (left) and Chief Personal Data Officer (Compliance & Enquiries), Mr Brad KWOK Ching-hei (right), elaborated on the findings on the data breach incident of the Council.
-End-