PCPD slams SCAA for lack of care as over 72,000 members data leaked

Hong Kong’s privacy watchdog has slammed local sports club South China Athletic Association (SCAA) for its sloppy cybersecurity that led to an earlier data breach incident involving the personal data of over 72,000 members. 

The Office of the Privacy Commissioner for Personal Data (PCPD) released an investigation report on Tuesday detailing the incident, which occurred in March when hackers infiltrated SCAA’s system, leaking members’ personal information included names, HKID and passport numbers, photos, dates of birth, addresses, and more.

The investigation found that hackers installed malicious software on one of SCAA’s internet-connected servers as early as January 2022, leading to a series of cyber attacks in March this year. The ransomware concerned was a variant of Trigona. In the Incident, a total of eight servers, one data storage device and 18 computers of the SCAA were attacked and encrypted by ransomware, after which the hacker demanded a ransom from the SCAA to unlock the encrypted files.

Ada Chung, the privacy commissioner of PCPD, expressed her disappointment that the SCAA failed to implement effective
information system security measures to safeguard members’ personal data prior to the incident.

She found that the incident might have occurred due to accidental exposure of the relevant server to the Internet, which significantly increased the risk of cyberattacks to the computer systems of the SCAA. As a result, the hacker used the server concerned as a stepping stone to infiltrate its network and launch ransomware attacks.

Between 15 and 16 March 2024, the hacker conducted brute force attacks and made over 43,400 login attempts on another administrator account of the compromised server, with more than 20,000 attempts recorded within a four-hour period. Chung said the SCAA had not enabled the intruder lockout function for failed login attempts at the material
time, the hacker was able to continue the brute force attacks without interruption.

Failure to enable multi-factor authentication for administrator accounts; lack of policies and guidelines on information security; absence of regular risk assessments and security audits and lack of offline data backup solutions were also the contributing factors to the incident. 

The investigation concluded that the SCAA violated Data Protection Principle 4(1) of the Personal Data (Privacy) Ordinance, which mandates the protection of personal data against unauthorised access and processing.

The PCPD has issued an enforcement notice requiring the SCAA to address these violations and enhance their data protection strategies.

In response to the incident, SCAA said in an official statement on Tuesday that it has imposed a series of remedial actions immediately after the Incident, and will adhere to the enforcement notice of the Privacy Commissioner for Personal Data, to continuously strengthening the cyber security level and to prevent such incident from recurring for the interest of the members.

On the other hand, PCPD also revealed findings that highlighted a growing trend of data breaches among school and non-profit organisations in Hong Kong. With nearly 39% of the 157 data breach notifications received by the PCPD in 2023 linked to these sectors. Reports indicated a sharp 140% increase in incidents involving schools and NGOs from 2022 to 2023.

To assist organisations in improving their data security, the PCPD has launched a “Data Security” Package, providing schools, NGOs, and small to medium enterprises with access to professional workshops and assessments of their data security measures, urging all organisations handling personal data to take proactive steps to safeguard their information systems.

Related articles:

HKTVmall reports data leak with 4.38 million customer data accessed
Harbour Plaza Hotel data breach sees 1.2m customer data leaked