Media Statements
Privacy Commissioner’s Office Publishes Investigation Findings on the Data Breach Incident of South China Athletic Association and Launches “Data Security” Package for Schools, NGOs and SMEs
Date: 22 October 2024
Privacy Commissioner’s Office Publishes Investigation Findings on
The Privacy Commissioner, Ms Ada CHUNG Lai-ling, wishes to point out, “Any organisation that holds personal data, regardless of its size or industry, should keep abreast of the latest developments in data security and adopt appropriate data security measures to protect the personal data in its possession. The PCPD encourages organisations to take note of the recommendations contained in the “Guidance Note on Data Security Measures for Information and Communications Technology” and the “Guidance on Data Breach Handling and Data Breach Notifications” to prepare themselves against any cyberattacks and to enhance cybersecurity and data security. ”
Privacy Commissioner’s Office Publishes Investigation Findings on
the Data Breach Incident of South China Athletic Association and
Launches “Data Security” Package for Schools, NGOs and SMEs
On completion of its investigation into the data breach incident of the South China Athletic Association (SCAA), the Office of the Privacy Commissioner for Personal Data (PCPD) published its findings today.
The investigation arose from a data breach notification submitted by the SCAA to the PCPD on 18 March 2024, reporting that its servers had been attacked by ransomware and maliciously encrypted (the Incident).
The investigation revealed that in January 2022 a hacker installed malware on one of the SCAA’s servers which was connected to the internet, but there was no evidence of further malicious activities at that time. In March 2024, the hacker compromised the SCAA’s network through the malware created on the aforesaid server and installed remote control software. The hacker subsequently launched brute force attacks on the computer systems of the SCAA through remote access and carried out other malicious activities, including network reconnaissance, defence evasion, disabling anti-virus and anti-malware software, installation of credential harvesting tools and lateral movement, and eventually encrypted files containing the personal data of members through ransomware. The ransomware concerned was a variant of Trigona. In the Incident, a total of eight servers, one data storage device and 18 computers of the SCAA were attacked and encrypted by ransomware. The hacker demanded a ransom from the SCAA to unlock the encrypted files.
The Incident affected the personal data of 72,315 members of the SCAA. The personal data involved included names, Hong Kong Identity Card numbers, passport numbers, photos, dates of birth, addresses, email addresses, telephone numbers, and the names and telephone numbers of emergency contact persons.
The SCAA has notified all affected members and implemented a series of improvement measures to enhance system security after the Incident, which included restricting the connection of intranet services to the Internet, enabling multi-factor authentication for administrator accounts, formulating guidelines on the use of passwords, conducting regular scans to identify security vulnerabilities of its network and fully implementing offline backup of data.
The PCPD thanked the SCAA for its cooperation and the provision of the information and documents requested in the investigation. Having considered the circumstances of the Incident and the information obtained during the investigation, the Privacy Commissioner for Personal Data (Privacy Commissioner), Ms Ada CHUNG Lai-ling, found that the following deficiencies of the SCAA were the contributing factors of the occurrence of the Incident:-
The investigation arose from a data breach notification submitted by the SCAA to the PCPD on 18 March 2024, reporting that its servers had been attacked by ransomware and maliciously encrypted (the Incident).
The investigation revealed that in January 2022 a hacker installed malware on one of the SCAA’s servers which was connected to the internet, but there was no evidence of further malicious activities at that time. In March 2024, the hacker compromised the SCAA’s network through the malware created on the aforesaid server and installed remote control software. The hacker subsequently launched brute force attacks on the computer systems of the SCAA through remote access and carried out other malicious activities, including network reconnaissance, defence evasion, disabling anti-virus and anti-malware software, installation of credential harvesting tools and lateral movement, and eventually encrypted files containing the personal data of members through ransomware. The ransomware concerned was a variant of Trigona. In the Incident, a total of eight servers, one data storage device and 18 computers of the SCAA were attacked and encrypted by ransomware. The hacker demanded a ransom from the SCAA to unlock the encrypted files.
The Incident affected the personal data of 72,315 members of the SCAA. The personal data involved included names, Hong Kong Identity Card numbers, passport numbers, photos, dates of birth, addresses, email addresses, telephone numbers, and the names and telephone numbers of emergency contact persons.
The SCAA has notified all affected members and implemented a series of improvement measures to enhance system security after the Incident, which included restricting the connection of intranet services to the Internet, enabling multi-factor authentication for administrator accounts, formulating guidelines on the use of passwords, conducting regular scans to identify security vulnerabilities of its network and fully implementing offline backup of data.
The PCPD thanked the SCAA for its cooperation and the provision of the information and documents requested in the investigation. Having considered the circumstances of the Incident and the information obtained during the investigation, the Privacy Commissioner for Personal Data (Privacy Commissioner), Ms Ada CHUNG Lai-ling, found that the following deficiencies of the SCAA were the contributing factors of the occurrence of the Incident:-
- Accidental exposure of the relevant server to the Internet, which significantly increased the risk of cyberattacks to the computer systems of the SCAA. As a result, the hacker used the server concerned as a stepping stone to infiltrate its network and launch ransomware attacks;
- Lack of effective detection measures in the information systems to identify the malicious activities of the hacker conducted in January 2022, which allowed the hacker to intrude into the network of the SCAA in March 2024 through the malware created on the compromised server, remotely control the affected computers, create accounts with administrative rights, and disable the anti-virus and anti-malware software on the server concerned. Between 15 and 16 March 2024, the hacker conducted brute force attacks and made over 43,400 login attempts on another administrator account of the compromised server, with more than 20,000 attempts recorded within a four-hour period. Because the SCAA had not enabled the intruder lockout function for failed login attempts at the material time, the hacker was able to continue the brute force attacks without interruption;
- Failure to enable multi-factor authentication for administrator accounts, which allowed the hacker to access the operating system of the compromised server without any additional identity verification process, and to carry out various malicious activities and encrypt the personal data of members;
- Lack of policies and guidelines on information security, which resulted in the failure to provide comprehensive and concrete security review requirements and procedures on information systems for staff members to follow. The SCAA also failed to formulate a written password policy to set out password complexity requirements, and failed to implement intruder lockout function and password expiration periods to safeguard the security of user accounts;
- Absence of regular risk assessments and security audits to review the effectiveness of security measures, resulting in the failure to take improvement measures to protect the systems which contained the personal data of members from cyberattacks; and
- Lack of offline data backup solutions, hence the backup data of members were encrypted by the hacker in the Incident and this increased the difficulty of data recovery.
Based on the above, the Privacy Commissioner, Ms Ada CHUNG Lai-ling, considered that the SCAA’s awareness of the need to protect the personal data of its members was weak. As a long-established sports organisation holding a significant amount of personal data, the Privacy Commissioner was very disappointed that the SCAA failed to implement effective information system security measures to safeguard members’ personal data prior to the Incident. The Privacy Commissioner was of the view that if the SCAA had adopted appropriate and adequate organisational and technical security measures before the Incident, the Incident could likely have been avoided. In this regard, the Privacy Commissioner found that the SCAA had not taken all practicable steps to ensure that the personal data involved was protected against unauthorised or accidental access, processing, erasure, loss or use, thereby contravening Data Protection Principle 4(1) of the Personal Data (Privacy) Ordinance (PDPO) concerning the security of personal data.
The Privacy Commissioner has served an Enforcement Notice on the SCAA, directing it to take measures to remedy the contravention and prevent recurrence of similar contravention in future.
Rising trend of data breach incidents relating to schools and non-profit-making organisations (NGOs) in recent years
The PCPD observed a clear upward trend in data breach incidents involving schools and NGOs in recent years. In 2023, among the 157 data breach notifications received by the PCPD, 61 cases involved schools and NGOs (accounting for approximately 39% of the total), which represented an increase of nearly 1.5 times (140%) when compared to 25 cases (about 24% of the total) in 2022. In the first three quarters of 2024, the PCPD received a total of 51 data breach notifications from schools and NGOs, accounting for about 33% of the total number of notifications received, and this is comparable to the percentage of such notifications received year-on-year. Therefore, the Privacy Commissioner is of the view that schools and NGOs should be vigilant and devote sufficient resources to enhance their data security measures so as to reduce the risks of cyberattacks on their personal data systems.
Statistics on data breach notifications involving schools and NGOs received by the PCPD from 2022 to 2024 (up to September) are set out below:
The Privacy Commissioner has served an Enforcement Notice on the SCAA, directing it to take measures to remedy the contravention and prevent recurrence of similar contravention in future.
Rising trend of data breach incidents relating to schools and non-profit-making organisations (NGOs) in recent years
The PCPD observed a clear upward trend in data breach incidents involving schools and NGOs in recent years. In 2023, among the 157 data breach notifications received by the PCPD, 61 cases involved schools and NGOs (accounting for approximately 39% of the total), which represented an increase of nearly 1.5 times (140%) when compared to 25 cases (about 24% of the total) in 2022. In the first three quarters of 2024, the PCPD received a total of 51 data breach notifications from schools and NGOs, accounting for about 33% of the total number of notifications received, and this is comparable to the percentage of such notifications received year-on-year. Therefore, the Privacy Commissioner is of the view that schools and NGOs should be vigilant and devote sufficient resources to enhance their data security measures so as to reduce the risks of cyberattacks on their personal data systems.
Statistics on data breach notifications involving schools and NGOs received by the PCPD from 2022 to 2024 (up to September) are set out below:
| Year | Total number of data breach notifications involving schools and NGOs (% of total) |
Total number of data breach notifications |
| 2022 | 25 (about 24%) | 105 |
| 2023 | 61 (about 39%) | 157 |
|
2024 (up to September) |
51 (about 33%) | 155 |
The Privacy Commissioner, Ms Ada CHUNG Lai-ling, wishes to point out, “Any organisation that holds personal data, regardless of its size or industry, should keep abreast of the latest developments in data security and adopt appropriate data security measures to protect the personal data in its possession. The PCPD encourages organisations to take note of the recommendations contained in the “Guidance Note on Data Security Measures for Information and Communications Technology” and the “Guidance on Data Breach Handling and Data Breach Notifications” to prepare themselves against any cyberattacks and to enhance cybersecurity and data security. ”
The PCPD launches “Data Security” Package
In addition, the PCPD warmly welcomes the policy objective of strengthening cybersecurity set out in the Chief Executive’s 2024 Policy Address. To strengthen the capabilities of schools, NGOs and small and medium enterprises (SMEs) in safeguarding data security and cybersecurity, the PCPD has launched the “Data Security” Package today. Participating organisations will receive five free quotas to join professional workshops and seminars organised by the PCPD upon completion of an assessment by the “Data Security Scanner”, which will assess the adequacy of their data security measures. In addition, the PCPD has launched the thematic webpage on data security and the “Data Security Hotline” 2110 1155 to provide relevant information and assistance in this regard. Interested schools, NGOs and SMEs are welcome to obtain further information by emailing training@pcpd.org.hk.
The PCPD would collaborate with the education sector and NGOs respectively to host two seminars on data security in December 2024 to share some important tips on how to enhance data security and implement effective security measures. The PCPD has also been organising in-house seminars tailored to the needs of individual organisations, with the protection of data security included as part of the content of the seminars. In the first nine months of 2024, the PCPD organised in-house seminars for a total of 92 organisations.
The Privacy Commissioner, Ms Ada CHUNG Lai-ling, explained the “Data Security” Package launched by the PCPD.The PCPD would collaborate with the education sector and NGOs respectively to host two seminars on data security in December 2024 to share some important tips on how to enhance data security and implement effective security measures. The PCPD has also been organising in-house seminars tailored to the needs of individual organisations, with the protection of data security included as part of the content of the seminars. In the first nine months of 2024, the PCPD organised in-house seminars for a total of 92 organisations.
The Privacy Commissioner, Ms Ada CHUNG Lai-ling (left) and Chief Personal Data Officer (Compliance and Enquiries), Mr Brad KWOK Ching-hei (right), introduced the investigation findings of the data breach incident of the SCAA.
-End-
-End-