HK privacy watchdog uncovers security issues in Oxfam HK data leak

Hong Kong’s privacy watchdog said the data leak at Oxfam Hong Kong (OHK) last year which affected 550,000 individuals, has violated the data protection law, citing the organisation's outdated firewalls and its failure to enable multi-factor authentication.

The Office of the Privacy Commissioner for Personal Data (PCPD) has released its investigation report regarding the data breach involving OHK, which was reported on 13 July 2024. The report reveals that Oxfam suffered from a ransomware attack that affected its information systems.

Don't miss: HK privacy watchdog opens probe into Oxfam HK's data breach

The investigation found that the threat actor used a brute-force attack to exploit critical vulnerabilities in Oxfam's firewalls, executing remote code to access the secure sockets layer virtual private network (SSL VPN) (保密插口層虛擬私有網絡) command console and control an IT tester account. This allowed them to connect directly to Oxfam’s information systems via SSL VPN, identify vulnerable servers, and gain administrator privileges in Oxfam's active directory. They then moved laterally, intruding into Oxfam’s servers, workstations, and notebook computers.

On 10 July 2024, the threat actor deployed "DarkHack" ransomware in Oxfam’s information systems, resulting in file encryption and data exfiltration. A total of 37 servers and 24 workstations or notebook computers were compromised, including the file server system, donor database and staging server, Oxfam Trailwalker website database, human resources systems, and active directory server.

The investigation found that over 330 GB of data was exfiltrated from Oxfam's information systems, potentially affecting around 550,000 individuals, including donors, volunteers, program partners, and staff members. The compromised personal data included names, HKID card numbers, passport numbers, dates of birth, contact details, and financial information.

Oxfam has notified affected individuals about the incident and implemented organisational and technical measures to enhance system security and protect personal data privacy, such as implementing the recommendations on information security measures made by external consultants. Oxfam is also committed to updating its IT policies to establish a comprehensive vulnerability management programme, including regular vulnerability scanning and penetration tests.

Having considered the circumstances of the Incident and the information obtained during the investigation, privacy commissioner Ada Chung identified several deficiencies at Oxfam that contributed to the incident. These included outdated firewalls with critical vulnerabilities, failure to enable multi-factor authentication, lack of critical security patches on servers, ineffective detection measures in the information systems, insufficient security assessments, vague information security policies, and the prolonged retention of personal data.

Chung considered Oxfam, as a well-established organisation handling significant amounts of personal data, is expected by stakeholders and the public to allocate adequate resources for information system protection and data security. However, the investigation revealed that Oxfam did not implement sufficient measures to safeguard its systems before the incident and lacked an effective mechanism for timely deletion of personal data retained longer than necessary. 

Based on the above, the privacy commissioner considered that Oxfam had not taken all practicable steps to ensure that the personal data involved was protected against unauthorised or accidental access, processing, erasure, loss or use, thereby contravening the Data Protection Principle (DPP) 4(1)  of the PDPO concerning the security of personal data. In addition, the privacy commissioner found that Oxfam had not taken all practicable steps to ensure that personal data was not kept longer than was necessary for the fulfilment of the purpose for which the data was used, thereby contravening DPP 2(2) concerning the retention of personal data.

The privacy commissioner has served an enforcement notice on Oxfam, directing it to take measures to remedy the contravention and prevent the recurrence of similar contraventions in the future.

In response, Oxfam said in a statement that it places great importance to this incident and has implemented various remediation measures to enhance the overall system security. It is executing the relevant measures as required by the PCPD and will submit a report to them within two months. 

Related articles:

HK privacy watchdog warns URA over data leak of 199 tenants and owners
HK privacy watchdog slams EMSD over data leak involving 17,000 residents
HK privacy watchdog opens probe into Oxfam HK's data breach