PCPD slams HK Laureate Forum and HK Ballet over poor data protection

Hong Kong's privacy watchdog has slammed The Council of the Hong Kong Laureate Forum (香港桂冠論壇委員會) and Hong Kong Ballet (HKB) (香港芭蕾舞團) over poor data protection in two separate data breaches last year. Close to 46,000 individuals were affected in the two incidents. 

In a statement seen by MARKETING-INTERACTIVE, privacy commissioner Ada Chung Lai Ling said the two organisations have violated the city's Personal Data (Privacy) Ordinance (PDPO) as they did not take "all practicable steps to ensure that the personal data involved was protected against unauthorised or accidental access, processing, erasure, loss or use."

In September last year, the Council of the Hong Kong Laureate Forum reported to the PCPD that its computer systems and file servers had been attacked by ransomware. The investigation revealed that the initial intrusion into the council’s network took place on 26 September 2023.

A hacker obtained administrator-level credentials through a brute force attack and subsequently gained access to the council’s server from the firewall VPN zone. The hacker then performed lateral movement within the network and deployed the ransomware named "Elbie". This resulted in the encryption of files on one server and seven endpoints, with the hacker also sabotaging backup data stored on another server.

The ransomware attack affected the personal data of 8,122 individuals, including around 7,200 e-newsletter subscribers' names and email addresses. The other 920 affected individuals include applicants for young scientists, Shaw Laureates, speakers, reviewers, staff, and board members of the council, with their personal information such as contact details, HKID card numbers, and financial data, being exposed.

Chung said the council has deficiencies in its information system management, including failure to update the firmware of the firewall, lack of any anti-virus software updates since 2019, absence of multi-factor authentication for remote access, no password policy, lack of network segmentation and internal firewall security rules.

The council is also found to have inadequate policies and guidelines on information security, as well as a lack of appropriate data backup solutions.

Don't miss: HK privacy watchdog mulls penalty mechanism for institutions’ data breaches

Ransomware attack on HKB’s servers

Meanwhile, in September last year, HKB reported that it suffered from a ransomware attack, which affected four physical servers of its information systems of HKB. 

The investigation revealed that the initial intrusion into HKB’s network took place on 15 September 2023. As the operating software of a server was outdated, the hacker gained access to HKB’s network and employed various malicious tools and programmes to acquire passwords of the IT administrator and user accounts and to obtain information about the network and details of computers connected to the network. 

The hacker also employed a domain administrator account to deploy “LockBit” ransomware on HKB’s information systems, which resulted in the encryption of files and exfiltration of data and files stored therein.

While HKB was unable to determine the data contained in the encrypted files, it is estimated that the number of affected individuals might be 37,840, including HKB’s staff members, job applicants, ticket subscribers, guest artists, activity participants, donors, sponsors, and vendors. Their personal information such as names, HKID Card numbers, passport numbers, and addresses, are affected. 

According to Chung, the ransomware attack was due to factors such as outdated server software, unnecessary internet exposure during system migration by the service vendor, lack of monitoring of vendor security measures, and absence of security assessments and audits.

Related articles:

HK privacy watchdog mulls penalty mechanism for institutions’ data breaches
HK privacy watchdog releases first set of AI data protection guidelines
HK privacy watchdog orders crypto project Worldcoin to cease operations