On completion of its investigation into the data breach incidents of The Council of the Hong Kong Laureate Forum Limited (the Council) and The Hong Kong Ballet Limited (HKB), the Office of the Privacy Commissioner for Personal Data (PCPD) published its findings today.
(1) The Ransomware Attack on the Information Systems of the Council
The investigation arose from a data breach notification submitted by the Council to the PCPD on 27 September 2023, reporting that its computer systems and file servers had been attacked by ransomware (the Incident).
The investigation revealed that the initial intrusion into the Council’s network took place on 26 September 2023. It was discovered that a hacker obtained the credentials of a user account of the Council with administrator privileges through a brute force attack, and subsequently gained access to the Council’s server from the firewall VPN
[1] zone. The hacker proceeded to perform lateral movement within the Council’s network and subsequently deployed and executed ransomware identified as “Elbie”, which resulted in the encryption of files contained in one server and seven endpoints. Furthermore, the backup data stored in another server was also sabotaged by the hacker.
The Incident affected the personal data of 8,122 individuals, which included approximately 7,200 e-newsletter subscribers, and the personal data affected included their names and email addresses.The other 920-odd individuals affected included applicants for young scientists, Shaw Laureates and their accompanying persons, forum ambassadors/ event helper applicants, locally engaged scientists and speakers, reviewers, event helpers, current and former staff members of the Council as well as board members of the Council. The personal data affected included names, addresses, email addresses, telephone numbers, passport information, full/partial passport/Hong Kong Identity Card (HKID Card) numbers, bank account/credit card information, dates of birth, nationalities/places of birth, CVs/transcripts, affiliated organisations and/or academic backgrounds.
The Council implemented various organisational and technical remedial measures after the Incident, which included the configuration of firewall rules, the conduct of a full-scale account audit and implementation of a strong password policy, in order to enhance the overall system security to safeguard personal data privacy.
Having considered the circumstances of the Incident and the information obtained during the investigation, the Privacy Commissioner for Personal Data (Privacy Commissioner), Ms Ada CHUNG Lai-ling, found that the following deficiencies of the Council were the contributing factors of the occurrence of the Incident:-
-
Deficiencies in information system management, which included the failure to update the firmware of the firewall, which had multiple critical vulnerabilities, the absence of any update of the anti-virus software database since 2019, the absence of multi-factor authentication for remote access to verify the identity of users, the absence of password policy, the absence of network segmentation and internal firewall security rules, and the failure to conduct security audit and vulnerability assessment;
-
Lax monitoring of the data security measures adopted by the service vendor, resulting in the Council’s failure to ensure that the vendor delivered all the services contained in its service agreement, including the timely update of software and the installation of patches. Consequently, the Council only discovered the outdated firewall firmware with multiple critical vulnerabilities and the outdated antivirus database after the Incident;
-
Lack of policies and guidelines on information security: Hence, staff members and vendors did not have a clear understanding of their responsibilities under the network security framework and the required security protocol and practices; and
-
Lack of appropriate data backup solutions, which led to the failure to keep original data and backup data on different networks. Consequently, the backup data was sabotaged by the hacker in the Incident, making data recovery impossible.
Based on the above, the Privacy Commissioner, Ms Ada CHUNG Lai-ling, found that the Council had not taken all practicable steps to ensure that the personal data involved was protected against unauthorised or accidental access, processing, erasure, loss or use, thereby contravening the requirements concerning security of personal data under Data Protection Principle (DPP) 4(1) of the Personal Data (Privacy) Ordinance (PDPO).
The Privacy Commissioner has served an Enforcement Notice on the Council, directing it to take measures to remedy the contravention and prevent similar recurrence of the contravention.
(2) The Ransomware Attack on the Servers of HKB
The investigation arose from a data breach notification submitted by HKB to the PCPD on 16 October 2023, reporting that HKB suffered from a ransomware attack on 29 September 2023, which affected four physical servers of the information systems of HKB (the HKB Incident).
The investigation revealed that the initial intrusion into HKB’s network took place on 15 September 2023. As the operating software of a server (the Server) was outdated at the time of the HKB Incident, the hacker successfully gained access to HKB’s network by exploiting the vulnerabilities in the Server. Subsequently, the hacker employed various malicious tools and programmes, including credential dumping tools and remote access tools, to acquire passwords of the information technology (IT) administrator and user accounts and to obtain information about the network and details of computers connected to the network. The information obtained was used by the hacker to carry out lateral movement in HKB’s network.
On 17 September 2023, the hacker employed a domain administrator account to deploy “LockBit” ransomware on HKB’s information systems, which resulted in the encryption of files and exfiltration of data and files stored therein.
The investigation also found that, HKB was unable to determine the data contained in the encrypted files. Based on HKB’s estimation, the number of the affected individuals might be 37,840, which included HKB’s staff members, job applicants, ticket subscribers, guest artists, activity participants, donors, sponsors and vendors. The personal data affected included names, HKID Card numbers, passport numbers, photographs, dates of birth, addresses, email addresses, telephone numbers, health information, bank account numbers and/or credit card numbers (without CVV), employment information and academic information.
HKB implemented various organisational and technical remedial measures after the HKB Incident, which included redeploying its IT network infrastructure to align with security design principles, and updating its cybersecurity policies to enhance the overall system security to safeguard personal data privacy. HKB has also engaged a cybersecurity expert to provide advice on cybersecurity measures to improve and maintain its information systems in alignment with the latest cybersecurity standards.
Having considered the circumstances of the HKB Incident and the information obtained during the investigation, the Privacy Commissioner, Ms Ada CHUNG Lai-ling, found that the following deficiencies of HKB were the contributing factors of the occurrence of the HKB Incident:-
1.
Outdated operating software of the Server, which was vulnerable to multiple critical remote code execution vulnerabilities. Moreover, HKB did not have any policy or procedures on the patching or update of its servers, which revealed a glaring deficiency in HKB’s regular patching and updating practices;
2.
Unnecessary exposure of the Server to the Internet during system migration performed by the service vendor, thereby significantly increasing the risk of cyberattacks. This led to the Server being exploited by the hacker in the HKB Incident;
3.
Lack of monitoring of the data security measures adopted by the service vendor, resulting in HKB’s failure to ensure that the vendor performed timely updates and implemented adequate security measures to safeguard the personal data stored in the information systems. Further, there was no requirement on safeguarding data security in the relevant service contract signed with the service vendor; and
4.
Absence of security assessments and security audits of the information systems, which resulted in HKB’s inability to identify the vulnerabilities in the Server, and increased the risks of attacks on its information systems.
Based on the above, the Privacy Commissioner, Ms Ada CHUNG Lai-ling, found that HKB had not taken all practicable steps to ensure that the personal data involved was protected against unauthorised or accidental access, processing, erasure, loss or use, thereby contravening the requirements concerning security of personal data under DPP 4(1) of the PDPO.
The Privacy Commissioner has served an Enforcement Notice on HKB, directing it to take measures to remedy the contravention and prevent similar recurrence of the contravention.
The PCPD understands that small-and-medium enterprises and non-profit-making organisations may only have limited resources to ensure cybersecurity. However, it is worth noting that cyberattacks and data breaches have been on the rise globally with increasing digitisation of the information systems of organisations.
The Privacy Commissioner, Ms Ada CHUNG Lai-ling, wishes to point out, “Given the escalating risks of cybersecurity, it is incumbent upon organisations of all sizes to strengthen cybersecurity and data security to defend malicious attacks and protect the personal data in their possession”.
The Privacy Commissioner recommends organisations to take appropriate organisational and technical measures to protect information systems that contain personal data, including the following:
-
Regularly conducting risk assessments of security systems;
-
Using firewalls and other software to protect computer networks;
-
Regularly updating software;
-
Regularly conducting vulnerability assessments and penetration tests on information and communications systems;
-
Implementing patch management;
-
Separating internal database servers from web servers; and
-
Providing appropriate training for employees to raise their security awareness to build a “human firewall”.
The PCPD encourages organisations to observe the recommendations contained in the “Guidance Note on Data Security Measures for Information and Communications Technology” and the “Guidance on Data Breach Handling and Data Breach Notifications” to prepare themselves against any cyberattacks and to enhance cybersecurity and data security. To assist organisations in safeguarding data security, the PCPD has already launched a “Data Security” thematic webpage[2], a “Data Security” hotline (2110 1155), and the “Data Security Scanner”[3], which is a self-assessment toolkit for organisations to assess the adequacy of their data security measures for information and communication technology systems.
The PCPD today published the findings on the data breach incidents of The Council of the Hong Kong Laureate Forum Limited and The Hong Kong Ballet Limited. Pictured are the Privacy Commissioner, Ms Ada CHUNG Lai-ling (middle), Chief Personal Data Officer (Compliance & Enquiries), Mr Brad KWOK Ching-hei (left) and Senior Personal Data Officer (Compliance & Enquiries), Mr John LO Ho-wing (right).
[1] Virtual private network
[2] https://www.pcpd.org.hk/english/data_security/index.html
[3] https://www.pcpd.org.hk/Toolkit/en/