HK consumer watchdog requested to fix data security issues within 2 months

Hong Kong's privacy watchdog has requested the Consumer Council to fix its data protection issues within two months following its data breach incident, when the personal information of over 450 individuals was leaked due to a ransomware attack. 

The Office of the Privacy Commissioner for Personal Data’s (PCPD) investigation comes after a data breach notification lodged by the council in September last year, reporting that its servers had been attacked by ransomware.

Don't miss: HK consumer watchdog reveals suspected data leak following 7-hour ransomware attack

It resulted in unauthorised access to the council’s data, which involved the personal data of more than 450 individuals, including complainants, personnel of information technology service vendors, and current and former staff members of the council.

The investigation revealed that a hacker group had obtained the credentials of a user account with administrative privileges and gained access to the council’s network through a virtual private network (VPN). The hacker then deployed ransomware in the servers and endpoints of the council.

Privacy commissioner Ada Chung said the council failed to enable multi-factor authentication for remote access to data, thereby allowing the hacker to gain access to the council’s network through the compromised account credentials, conduct ransomware attacks and access the personal data held by the council.

Chung added that the council failed to properly configure the cybersecurity solutions adopted to detect and block cybersecurity threats, resulting in the failure of the cybersecurity solutions to send email alerts to the council when cybersecurity threats were detected. 

Moreover, there was a lack of sufficient safeguards to prohibit or prevent the storage of personal data on testing servers, which led to the personal data of 289 complainants held by the council being stored in a testing server that was not protected by the cybersecurity solutions because of human error or oversight, and in turn, exposed to a hacking attack. Meanwhile, the council did not provide a concrete cybersecurity framework or IT security review requirements and procedures for its staff members to follow

The investigation also revealed that a former IT staff member had not enforced the complex password policy of the council in the system settings at the time of the incident, which reflects the lack of awareness of the staff members of the council in protecting personal data privacy and information security.

Chung said while the council had not taken all practicable steps to ensure that the personal data involved was protected against unauthorised or accidental access, processing, erasure, loss or use, it contravened Data Protection Principle 4(1) of the Personal Data (Privacy) Ordinance concerning the security of personal data.

The PCPD has issued an enforcement notice to the council, instructing them to address the breach by implementing a strong cybersecurity framework, conducting regular risk assessments and system security audits, and enhancing training protocols. The council has to submit documents by 29 June to certify that they have complied with the directions.

In response, Consumer Council said in a statement that it has conducted a range of rectification measures immediately after the incident, including enabling Multi-Factor Authentication (MFA) for remote data access via VPN, conducting a comprehensive review of the cybersecurity solutions’ functions and appropriate settings, and further strengthening internal training to enhance staff's awareness and behaviour on cybersecurity.  

“The council is also improving its IT policies and guidelines and engaging managed detection and response services provider to enhance its ability to defend against cyberthreats,” the statement reads. 

Related articles:

Meta should allow users to opt out of targeted advertising for free, says EU privacy watchdog
HK privacy watchdog opens probe into Worldcoin amidst iris-scanning fears
HK privacy watchdog reveals 10 eateries' apps collect customers' data for marketing