Privacy Commissioner’s Office Publishes an Investigation Report on the Data Breach Incident of Cyberport

On completion of its investigation into a data breach incident of the Hong Kong Cyberport Management Company Limited (Cyberport), the Office of the Privacy Commissioner for Personal Data (PCPD) published an investigation report today. The investigation arose from a data breach notification lodged by Cyberport reporting that its computer systems and file servers had been attacked by ransomware and maliciously encrypted (the Incident). A hacker group identifying itself as Trigona had demanded a ransom payment from Cyberport to unlock the encrypted files. The Incident resulted in the leakage of the personal data of more than 13,000 data subjects, about 40% of whom were unsuccessful job applicants and former employees.

The PCPD thanked Cyberport for the various information and cooperation provided by Cyberport in the investigation. According to the evidence obtained in the investigation, the Privacy Commissioner for Personal Data (Privacy Commissioner), Ms Ada CHUNG Lai-ling, considered that the Incident was caused by the following deficiencies:

1. Lack of effective detection measuresin Cyberport's information systems, resulting in its failure to effectively detect the brute force attacks on the information systems by the hacker, thus allowing the hacker to obtain the credentials of user accounts with administrative privileges, and subsequently launch ransomware attacks and exfiltrate the personal data stored in the systems;
2. Failure to enable multi-factor authentication for remote access to data for verifying the identities of users authorised to remotely access Cyberport's network. This allowed the hacker to gain access to its network through a remote desktop connection using the credentials of a user account, leading to the exfiltration of personal data;
3. Insufficient security audits of the information systems, thereby failing to timely respond to changes in information technology and cybersecurity risks;
4. Lack of specificity in the information security policy, which did not provide a concrete cybersecurity framework for its employees to follow; and
5. Unnecessary retention of personal data: Cyberport failed to delete the personal data it collected after the expiration of the retention periods in accordance with its data retention policy, resulting in the unnecessary retention and hence leakage of the personal data concerned, which related to around 40% of the total number of individuals affected by the Incident.

The Privacy Commissioner, Ms Ada CHUNG Lai-ling, considered that Cyberport is a well-established organisation that continuously holds and processes a substantial amount of personal data of different individuals. In this regard, stakeholders and the public would reasonably expect Cyberport to allocate sufficient resources to ensuring the security of its information systems and data protection. Therefore, to meet the expectations of stakeholders and the public, Cyberport should have implemented adequate organisational and technical security measures to safeguard its information systems that contain personal data. However, the investigation revealed that Cyberport had failed to implement sufficient and effective measures to ensure the security of its information systems prior to the Incident.Cyberport had also failed to promptly delete data in respect of which the retention periods had expired in accordance with its data retention policy.

Based on the above, the Privacy Commissioner considered that Cyberport had not taken all practicable steps to ensure that the personal data involved was protected against unauthorised or accidental access, processing, erasure, loss or use, thereby contravening Data Protection Principle (DPP) 4(1) of the Personal Data (Privacy) Ordinanceconcerning the security of personal data.

In addition, the Privacy Commissioner found that Cyberport had not taken all practicable steps to ensure that personal data was not kept longer than was necessary for the fulfilment of the purpose for which the data was used, thereby contravening DPP2(2) concerning the retention of personal data.

The Privacy Commissioner has served an Enforcement Notice on Cyberport, directing it to remedy the contravention and prevent similar recurrence of the contravention.

Through the report, the Privacy Commissioner also wishes to make the following recommendations to organisations which use information and communication technologies for processing personal data:

• Establish a personal data privacy management programme and appoint data protection officer(s);
• Establish a robust cybersecurity framework;
• Conduct timely risk assessments and security audits of information systems;
• Establish a corporate culture that values information security; and
• Delete personal data timely.

Download the Investigation Report "Ransomware Attack on the Information Systems of
Hong Kong Cyberport Management Company Limited":
https://www.pcpd.org.hk/english/enforcement/commissioners_findings/files/r24_12170_e.pdf

－End－